PHP :: Doc Bug #40113 :: quote_smart() in the mysql_real_escape

Doc Bug #40113	quote_smart() in the mysql_real_escape_string() documentation isn't that smart
Submitted:	2007-01-12 21:01 UTC	Modified:	2007-02-06 11:42 UTC
From:	romik at aha dot ru	Assigned:	colder (profile)
Status:	Closed	Package:	Documentation problem
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-01-12 21:01 UTC] romik at aha dot ru

Description:
------------
There is an example function quote_smart() in the mysql_real_escape_string() documentation, Example 3.

It demonstrates awfully wrong way on escaping! And allows second-order SQL injection (when data coming not from input but from database).
I believe, this example should be removed from documentation.
The best practice section should be like this :
"If you want to handle quotes in the right way, you have to get rid of magic quotes first. By configuration or by function included into each script.
And then quote all data manually, using mysql_real_escape_string()" or something like that. But there also a lot of pitfails and remarks.

Actually, I've got  a whole article named "complete quotes guide" but it written in russian and I'm not sure my english is good enough to translate .

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-01-16 10:38 UTC] colder@php.net

This function will ensure that everything passed to it will be returned either as

1) a quoted string whit escaped chars inside.
2) a numeric string without quotes around.

It also takes care about magic_quotes_gpc being on/off.

I fail to see how your "best practice section" proposition is better. I also fail to see how "second-order" injections are doable when using such function.

[2007-01-16 12:44 UTC] colder@php.net

The only thing about that quote_smart() function that is not really good is that it will call stripslashes() on every vars if magic_quotes_gpc is on, even if the var is not comming from GPC.

I'll change this example.

[2007-01-16 13:18 UTC] romik at aha dot ru

Yes, my bad. It does not allow second order injection. I beg my pardon - I messed up use of magic_quotes_gpc().

So the only problem is one you mentioned - calling stripslashes then var is not comming from GPC.

The main point I meant is better to separate dealing with magic quotes and with SQL data.
You need to strip slashes right after data passed to script - not then it come to SQL. Often pitfail - multiplying slashes in cookies.

[2007-02-06 11:24 UTC] bjori@php.net

Etienne: isn't this fixed already?

[2007-02-06 11:42 UTC] colder@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

indeed!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Dec 19 20:00:01 2025 UTC