php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #63118 mysql_real_escape_string doesn't always prepend backslashes
Submitted: 2012-09-19 16:39 UTC Modified: 2012-09-20 01:20 UTC
From: mark at zedwood dot com Assigned:
Status: Wont fix Package: Documentation problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mark at zedwood dot com
New email:
PHP Version: OS:

 

 [2012-09-19 16:39 UTC] mark at zedwood dot com 
Description:
------------
On:
http://us3.php.net/manual/en/function.mysql-real-escape-string.php

The documentation says: "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

This implies that "\x00" (1 char) escapes to "\\x00" (4 chars).

This is not accurate, it should say "which escapes the following characters", because there are 2 cases where it doesn't just prepend a slash.  For null and CTRL-Z, it turns "\x00" into '\0' and "\x1a" into '\Z'.  If it didn't, it would be vulnerable to buffer overflow.

The mysql C API documentation says, to allocate a buffer of input_length*2+1, implying that each escaped char can only ever escape to a max of 2 chars.
http://dev.mysql.com/doc/refman/4.1/en/mysql-real-escape-string.html

Test script:
---------------
$db  = mysql_connect($host, $user, $pass) or die("err: " . mysql_error());
mysql_select_db($dbname, $db) or die("err: " . mysql_error());
$a = mysql_real_escape_string("\x00\n\r\"'\x1a");
echo $a;

Expected result:
----------------
//expected, based on current documentation:
\x00\n\r\"\'\x1a

Actual result:
--------------
//actual:
\0\n\r\"\'\Z

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-20 01:20 UTC] aharvey@php.net
-Status: Open +Status: Wont fix
 [2012-09-20 01:20 UTC] aharvey@php.net 
I think the wording on that is fine: the use of the word "character" is important there. At any rate, since you don't need to allocate a buffer in PHP, I think the reality is that mysql_real_escape_string() can basically be treated as a black box regardless (unsafe data goes in, safe data comes out).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 04:01:29 2024 UTC