Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was explaining parametrization and its advantages to my friend recently, and he asked how it was any better than mysqli_escape_string in terms of security. Specifically, can you think of any examples of SQL injection that would succeed despite the input strings being escaped (using mysqli_escape_string)?
UPDATE:
I apologise for not being clear enough in my original question. The general question being asked here is, is SQL injection possible despite escaping input strings?
Updated answer
The question was edited (after my answer was posted) to specifically target
mysqli_escape_string, which is an alias ofmysql_real_escape_stringand therefore takes the connection encoding into account. This makes the original answer non-applicable anymore, but I ‘ve left it for completeness.The new answer, in short:
mysqli_escape_stringis as good security-wise as parameterized queries, provided you don’t shoot yourself in the foot.Specifically, what you must not do is highlighted in the giant warning on the PHP doc page:
If you don’t heed this warning (i.e. if you change the character set with a direct
SET NAMESquery) and you change the character set from a single-byte encoding to a “convenient” (from the attacker’s perspective) multibyte encoding, you will have in effect emulated what the dumbmysql_escape_stringdoes: attempt to escape characters without knowing which encoding the input is in.This situation leaves you potentially vulnerable to SQL injection as described by the original answer below.
Important note: I remember reading somewhere that recent MySql versions have plugged this hole on their end (in the client libraries?), which means that you might be perfectly safe even if using
SET NAMESto switch to a vulnerable multibyte encoding. But please don’t take my word for it.Original answer
In contrast to
mysql_real_escape_string, the baremysql_escape_stringdoes not take into account the connection encoding. This means that it assumes the input is in a single-byte encoding, when in fact it can legitimately be in a multibyte encoding.Some multibyte encodings have byte sequences that correspond to a single character where one of the bytes is the ASCII value of the single quote (
0x27); if fed such a string,mysql_escape_stringwill happily “escape the quote”, which means substituting0x27with0x5c0x27. Depending on the encoding rules, this could result in mutating the multibyte character into another that includes the0x5cand leaving the “remaining”0x27as a stand-alone single quote in the input. Voilà, you have injected an unescaped quote into the SQL.For more details see this blog post.