scotty86 Posted May 9, 2020 Share Posted May 9, 2020 Hello, concerning pages: https://www.w3schools.com/php/func_mysqli_real_escape_string.asp https://www.w3schools.com/php/php_mysql_prepared_statements.asp Just dived a bit deeper into real_escape_string/prepared statements and was a bit shocked. real_escape_string does not escape the percentage-sign (%) and underscores (_). This is neither mentioned in the php documentation nor within the w3school pages. This could cause vulnerabilities or unwanted behavior. A very simplified example (never do this!): $username = $mysqli_connection->real_escape_string($_POST["username"]); // $_POST["username"] = "%" $mysqli_connection->query("SELECT * FROM creditcards WHERE username LIKE '{$username}'"); Greetz scotty86 Link to comment Share on other sites More sharing options...
Ingolme Posted May 9, 2020 Share Posted May 9, 2020 That's not really a security threat since those characters cannot be used to change the functionality of a query. it will merely change the the term you are searching for. It is up to you to escape those characters manually if you are going to use it in a LIKE query. If mysqli_real_escape_string actually escaped percentage signs and underscores, a majority of queries would stop working or work incorrectly, as in these examples: $value = mysqli_real_escape_string('50%'); SELECT * FROM table WHERE value = '{$value}' $filename = mysqli_real_escape_string('image_file.png'); SELECT * FROM files WHERE filename = '{$filename}' Link to comment Share on other sites More sharing options...
scotty86 Posted May 15, 2020 Author Share Posted May 15, 2020 On 5/9/2020 at 7:58 PM, Ingolme said: That's not really a security threat since those characters cannot be used to change the functionality of a query. it will merely change the the term you are searching for. It is up to you to escape those characters manually if you are going to use it in a LIKE query. If mysqli_real_escape_string actually escaped percentage signs and underscores, a majority of queries would stop working or work incorrectly, as in these examples: $value = mysqli_real_escape_string('50%'); SELECT * FROM table WHERE value = '{$value}' $filename = mysqli_real_escape_string('image_file.png'); SELECT * FROM files WHERE filename = '{$filename}' I'm totally with you. I'm not saying this signs should be escaped by this functions, but it should be mentioned in the documentation of this functions. Since it can lead to unwanted behavior/vulnerabilities. If I read "function escapes special characters in a string", I assume they are bulletproof against any special character. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now