Reputation: 431
parse_str & sql_injection(mysql_real_escape_string)
I have a question about parse_str and mysql_real_String. Can I do like that and will effect all parameters from form?
$post_data = mysql_real_escape_string($_post['form']);
parse_str($post_data,$query)
print_r($query)
INSERT INTO xyz(id,name) VALUES(1,$query['name'])
Or
parse_str($_POST['form'],$query)
INSERT INTO xyz(id,name) VALUES(1,$query['name'])
print_r($query)
So the question is if mysql_real_escape_String effect all POST params of $_post['form'] or I have to explicitly in SQL make that statement?.
Upvotes: 0
Views: 278
Answers (1)
Reputation: 655129
parse_str and mysql_real_escape_string work with different encodings. parse_str decodes the percent-encoding, which is not recognized by mysql_real_escape_string:
$_post['form'] = 'name='.rawurlencode('\'"\\');
$post_data = mysql_real_escape_string($_post['form']);
parse_str($post_data, $query);
echo $query['name']; // output: '"\
You need to apply the encodings in the right order. mysql_real_escape_string must always come just right before putting the value into the MySQL string literal.
As always, passing the values as parameters as provided by prepared statements would be the better solution.
Upvotes: 2
Related Questions
- PHP code vulnerable to SQL injection: how to work with `mysql_real_escape_string()`?
- mysql_real_escape_string deleting entire string
- Correct usage of Mysql real escape strings
- SQL injection, real_escape_string, and quoted queries
- mysql_real_escape_string not letting string through
- Issue with mysql_real_escape_string
- Sql injection mysql_real_escape_string
- Understading mysql_real_escape_string();
- Am I using mysql_real_escape_string right?
- error while using mysql_real_escape_string()