php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #63118 mysql_real_escape_string doesn't always prepend backslashes
Submitted: 2012-09-19 16:39 UTC Modified: 2012-09-20 01:20 UTC
From: mark at zedwood dot com Assigned:
Status: Wont fix Package: Documentation problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mark at zedwood dot com
New email:
PHP Version: OS:

 

 [2012-09-19 16:39 UTC] mark at zedwood dot com
Description:
------------
On:
http://us3.php.net/manual/en/function.mysql-real-escape-string.php

The documentation says: "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

This implies that "\x00" (1 char) escapes to "\\x00" (4 chars).

This is not accurate, it should say "which escapes the following characters", because there are 2 cases where it doesn't just prepend a slash.  For null and CTRL-Z, it turns "\x00" into '\0' and "\x1a" into '\Z'.  If it didn't, it would be vulnerable to buffer overflow.

The mysql C API documentation says, to allocate a buffer of input_length*2+1, implying that each escaped char can only ever escape to a max of 2 chars.
http://dev.mysql.com/doc/refman/4.1/en/mysql-real-escape-string.html

Test script:
---------------
$db  = mysql_connect($host, $user, $pass) or die("err: " . mysql_error());
mysql_select_db($dbname, $db) or die("err: " . mysql_error());
$a = mysql_real_escape_string("\x00\n\r\"'\x1a");
echo $a;

Expected result:
----------------
//expected, based on current documentation:
\x00\n\r\"\'\x1a

Actual result:
--------------
//actual:
\0\n\r\"\'\Z

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-20 01:20 UTC] aharvey@php.net
-Status: Open +Status: Wont fix
 [2012-09-20 01:20 UTC] aharvey@php.net
I think the wording on that is fine: the use of the word "character" is important there. At any rate, since you don't need to allocate a buffer in PHP, I think the reality is that mysql_real_escape_string() can basically be treated as a black box regardless (unsafe data goes in, safe data comes out).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 28 00:01:32 2024 UTC