Jump to content

PHP mysqli real_escape_string() Function


Recommended Posts

Hello,

concerning pages:

Just dived a bit deeper into real_escape_string/prepared statements and was a bit shocked. real_escape_string does not escape the percentage-sign (%) and underscores (_). This is neither mentioned in the php documentation nor within the w3school pages. This could cause vulnerabilities or unwanted behavior. 

A very simplified example (never do this!):

$username = $mysqli_connection->real_escape_string($_POST["username"]); // $_POST["username"] = "%"
$mysqli_connection->query("SELECT * FROM creditcards WHERE username LIKE '{$username}'");

Greetz
scotty86

 

 

 

Link to post
Share on other sites

That's not really a security threat since those characters cannot be used to change the functionality of a query. it will merely change the the term you are searching for. It is up to you to escape those characters manually if you are going to use it in a LIKE query.

If mysqli_real_escape_string actually escaped percentage signs and underscores, a majority of queries would stop working or work incorrectly, as in these examples:

$value = mysqli_real_escape_string('50%');
SELECT * FROM table WHERE value = '{$value}'

$filename = mysqli_real_escape_string('image_file.png');
SELECT * FROM files WHERE filename = '{$filename}'

 

Link to post
Share on other sites
On 5/9/2020 at 7:58 PM, Ingolme said:

That's not really a security threat since those characters cannot be used to change the functionality of a query. it will merely change the the term you are searching for. It is up to you to escape those characters manually if you are going to use it in a LIKE query.

If mysqli_real_escape_string actually escaped percentage signs and underscores, a majority of queries would stop working or work incorrectly, as in these examples:


$value = mysqli_real_escape_string('50%');
SELECT * FROM table WHERE value = '{$value}'

$filename = mysqli_real_escape_string('image_file.png');
SELECT * FROM files WHERE filename = '{$filename}'

 

I'm totally with you. I'm not saying this signs should be escaped by this functions, but it should be mentioned in the documentation of this functions. Since it can lead to unwanted behavior/vulnerabilities. If I read "function escapes special characters in a string", I assume they are bulletproof against any special character.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...