Jump to content

PHP mysqli real_escape_string() Function


scotty86
 Share

Recommended Posts

Hello,

concerning pages:

Just dived a bit deeper into real_escape_string/prepared statements and was a bit shocked. real_escape_string does not escape the percentage-sign (%) and underscores (_). This is neither mentioned in the php documentation nor within the w3school pages. This could cause vulnerabilities or unwanted behavior. 

A very simplified example (never do this!):

$username = $mysqli_connection->real_escape_string($_POST["username"]); // $_POST["username"] = "%"
$mysqli_connection->query("SELECT * FROM creditcards WHERE username LIKE '{$username}'");

Greetz
scotty86

 

 

 

Link to comment
Share on other sites

That's not really a security threat since those characters cannot be used to change the functionality of a query. it will merely change the the term you are searching for. It is up to you to escape those characters manually if you are going to use it in a LIKE query.

If mysqli_real_escape_string actually escaped percentage signs and underscores, a majority of queries would stop working or work incorrectly, as in these examples:

$value = mysqli_real_escape_string('50%');
SELECT * FROM table WHERE value = '{$value}'

$filename = mysqli_real_escape_string('image_file.png');
SELECT * FROM files WHERE filename = '{$filename}'

 

Link to comment
Share on other sites

On 5/9/2020 at 7:58 PM, Ingolme said:

That's not really a security threat since those characters cannot be used to change the functionality of a query. it will merely change the the term you are searching for. It is up to you to escape those characters manually if you are going to use it in a LIKE query.

If mysqli_real_escape_string actually escaped percentage signs and underscores, a majority of queries would stop working or work incorrectly, as in these examples:


$value = mysqli_real_escape_string('50%');
SELECT * FROM table WHERE value = '{$value}'

$filename = mysqli_real_escape_string('image_file.png');
SELECT * FROM files WHERE filename = '{$filename}'

 

I'm totally with you. I'm not saying this signs should be escaped by this functions, but it should be mentioned in the documentation of this functions. Since it can lead to unwanted behavior/vulnerabilities. If I read "function escapes special characters in a string", I assume they are bulletproof against any special character.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...