php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #46011 mysql_real_escape_string is no protection for numeric fields
Submitted: 2008-09-06 17:34 UTC Modified: 2008-11-02 17:16 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: pablo dot angulo at uam dot es Assigned:
Status: Wont fix Package: Documentation problem
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-09-06 17:34 UTC] pablo dot angulo at uam dot es 
Description:
------------
mysql_real_escape_string documentation gives the false impression that its use alone will prevent mysql attacks and unauthorized access to the database in all circumstances.

For numeric columns, mysql_real_escape_string is not enough.
example:

$user=mysql_real_escape_string($_GET['user']);
$pass=mysql_real_escape_string($_GET['pass']);
$id=mysql_real_escape_string($_GET['id']);
$query="SELECT x FROM t WHERE user='$user' AND pass='$pass' id=$id";
mysql_query("query);

is susceptible to the attack 

http:example.com/index.php?id=1 OR 1=1

because mysql_real_escape_string does not escape whitespace.
The check is_numeric($id) is a solution to the above, putting the number between quotes in the query also is, and using sprintf is another solution, but the documentation does not suggest any of those should be used. There should be at least a pointer to:

http://php.net/manual/en/security.database.sql-injection.php

so that we newbies know this is not a trivial issue.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-09-30 09:20 UTC] olafvdspek at gmail dot com 
http://php.net/manual/en/function.mysql-query.php should really contain a warning about SQL injection.
Even better, mysql_query should be deprecated and replaced by a safe(r) variant.
 [2008-09-30 10:26 UTC] pablo dot angulo at uam dot es 
"http://php.net/manual/en/function.mysql-query.php should really contain a warning about SQL injection."

absolutely agree

"Even better, mysql_query should be deprecated and replaced by a safe(r) variant."

That may be too radical, as there are CMS that rely on this function and provide (I hope) safety wrappers around mysql calls. Also, many times there is no user input in a mysql call.
 [2008-11-02 17:16 UTC] danbrown@php.net 
There are articles and places for that, including the user notes.  The purpose and scope of the official manual is to explain the functions on the function pages.  It's neither prudent nor reasonable to try to explain every facet and risk of every function, and the benefit to the reader would be outshined by the bloat of the documentation.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 19:01:31 2024 UTC