PEAK XOOPS - Which function should be adopted in escaping string?

| PHP | Site News | XOOPS |

PHP

PHP : Which function should be adopted in escaping string?

Poster : GIJOE on 2006-05-25 06:34:07 (18487 reads)

This is a summary of discussion with ELF about escaping string for SQL.

I recommmend addslashes()

(A) performance
(B) compatibility with environments of magic_quotes_gpc=on
(C) reverse function exists
(D) DB connection free

ELF recommend *_escape_string()

(1) clear the purpose
(2) searchable by grep, replacable by sed, easily
(3) can follow to change DB engine's spec

I think it stands to reason all of (1)(2)(3).

But I'll use addslashes() instead of mysql_real_escape_string() because I know the escaping rule of addslashes() exactly.

It will be much better to use accustomed tools than unaccustomed tools.

eg) I've just found a SQL Injection in a famous script because of developper's ignorance which ` can't be escaped by addslashes()/mysql_real_escape_string().

2 comments

Comments list

Re: SQLÍÑÊ¸»úÎó¥¨¥¹¥±¡¼¥×¤Ë¤É¤Î´Ø¿ô¤ò»È¤¦¤Ù¤¤«

GIJOE Posted on 2006/5/26 5:15 | Last modified

Quote:

SQLÊ¸¤ËÂÐ¤¹¤ë¥ê¥Æ¥é¥ë¤Î¥¨¥¹¥±¡¼¥×¤Ë´Ø¤·¤Æ¤Ï¡¢¥»¥¥å¥ê¥Æ¥£¤È¤«INJECTION¤Ê¤ó¤Æ³µÇ°¤¬°ìÈÌÅª¤Ë¤Ê¤ëÁ°¤Ç¤â¡¢¥×¥í¥°¥é¥Þ¤ËÂÐ¤·¤Æ¡ÖÀµ¤·¤¯¥×¥í¥°¥é¥à¤òÆ°ºî¤µ¤»¤ë°Ù¤ËÉ¬Í×¡×¤Ã¤Æ¶µ°é¤¬¤µ¤ì¤Þ¤¹¤«¤é¡£

¤½¤ì¤Ï¤ª¤Ã¤·¤ã¤ëÄÌ¤ê¤Ç¡¢SQL¤Î´ðËÜÃæ¤Î´ðËÜ¤Ç¤¹¤è¤Í¡£
SQL InjectionÂÐºö¤Î¡Ö¥µ¥Ë¥¿¥¤¥º¡×¤Ç¤Ê¤¤¤³¤È¤ÏÌÀ¤é¤«¤Ç¤¹¡£

¤³¤Î¤¢¤¿¤ê¡¢¤Á¤ã¤ó¤È½ñ¤¤¤¿¤Ä¤â¤ê¤À¤Ã¤¿¤Î¤Ë¡¢ÆÉ¤ßÊÖ¤·¤¿¡Ö¥µ¥¤¥Ð¡¼¥Æ¥íËÜ¡×¤Ç¤Ï¡¢¤½¤¦¤¤¤¦µ½Ò¤¬¤É¤³¤Ë¤â¤Ê¤«¤Ã¤¿¤Î¤Ë¤Ï¼«Ê¬¤Ç¤âØ³Á³¤È¤·¤Þ¤·¤¿¡£
³Î¤«¤Ë¹âÌÚ¹À¸÷»á¤ËÆÍ¤Ã¹þ¤Þ¤ì¤Æ¤â»ÅÊý¤Ê¤¤¤Ç¤·¤ç¤¦¡£

¤¿¤À¡¢SQL Injection¤È¤Ê¤ëÍýÍ³¤Ã¤Æ£²¤Ä¤¢¤ê¤Þ¤¹¤è¤Í¡£

¡¦¥ê¥Æ¥é¥ë¤Î¥¨¥¹¥±¡¼¥×¤·Ëº¤ì
¡¦¥ê¥Æ¥é¥ë¤Ç¤Ï¤Ê¤¤Í×ÁÇ¤òSQL¤ØÆ³Æþ¤¹¤ë

¤³¤Î¸å¼Ô¤Î¥ß¥¹¤ÎÊý¤¬¤à¤·¤íÉÝ¤¤¤ó¤¸¤ã¤Ê¤¤¤«¤È»×¤¦¤ó¤Ç¤¹¡£
¸å¼Ô¤Î¼êÈ´¤¥Ñ¥¿¡¼¥ó¤È¤·¤Æ¡¢ORDER BY ¤Î¥«¥é¥àÌ¾¤òÄ¾»ØÄê¤·¤Æ¡¢¥Û¥ï¥¤¥È¥ê¥¹¥È¥Á¥§¥Ã¥¯¤Ê¤ó¤Æ¤Î¤¬¤¢¤ê¤Þ¤¹¤¬¡¢¤½¤ì¤Ï¡Ö¥µ¥Ë¥¿¥¤¥º¡×¤È¸À¤¨¤Ê¤¯¤â¤Ê¤¤¤Ç¤·¤ç¤¦¡£

¡Ä¤Ã¤ÆÁ´Á³°ã¤¦ÏÃÂê¤Ç¶²½Ì¤Ç¤¹¤¬¡£

¤¤¤º¤ì¤Ë¤»¤è¡¢PHP»ËÅª¤Ë¡¢addslashes()¤Î¸µ¡¹¤ÎÍÑÅÓ¤¬°ã¤¦¤Î¤À¤«¤é¡¢SQLÍÑ¥¨¥¹¥±¡¼¥×¤ËÍøÍÑ¤¹¤Ù¤¤Ç¤Ï¤Ê¤¤¡¢¤È¤¤¤¦°Õ¸«¤Ï·¹Ä°¤¹¤ë²ÁÃÍ¤¬¤¢¤ê¤Þ¤¹¤Í¡£

Quote:

Í¾ÃÌ¤Ç¤¹¤¬¡¢PHP¤Ë´Ø¤·¤Æ¤Ï¡¢´Ê°×WEBºîÀ®¥Ä¡¼¥ë¤Ã¤Æ°ÌÃÖÉÕ¤±¤ÇÈ¯¾Í¤·¤¿°Ù¤«magic_quote_gpc¤Ê¤ó¤Æ¤Î¤¬ºÇ½é¤«¤éÍÑ°Õ¤µ¤ì¤Æ¤¤¤¿¤¬¤¿¤á¤Ë¡¢Í¾·×¤Ëº®Íð¤ò¤â¤¿¤é¤·¤Æ¤¤¤ë¤è¤¦¤Êµ¤¤¬¤·¤Þ¤¹¡£¤³¤ì¤¬¤¿¤á¤Ë¡¢¾¯¤·Á°¤Ë¤Ïmagic_quote_gpc´Ä¶¤ÇÌµ¤¤¾ì¹ç¤Ë¤¹¤Ù¤Æ¤ÎGPC¤Ë addslashes¤Ê¤ó¤Æ½èÍý¤¬¹Ô¤ï¤ì¤Æ¤¤¤¿Êª¤â¤¢¤Ã¤¿¤ê¤·¤Þ¤¹¡£

¤Ê¤ë¤Û¤É¡Á¡£
PHP¤Ï¥¹¥¿¡¼¥ÈÃÏÅÀ¤«¤é¤Þ¤È¤â¤Ê¥×¥í¥°¥é¥ß¥ó¥°¸À¸ì¤È¤Ï°ã¤¦¤ó¤Ç¤¹¤Í¡£
magic_quotes_gpc¤â regiter_globals ¤ÈÆ±¤¸¤¯¡¢²áµî¤Î°äÊª¤Ê¤ó¤Ç¤·¤ç¤¦¤Í¡£

Re: SQLÍÑÊ¸»úÎó¥¨¥¹¥±¡¼¥×¤Ë¤É¤Î´Ø¿ô¤ò»È¤¦¤Ù¤¤«

nobunobu Posted on 2006/5/25 7:56

Quote:

`¡Ê¥Ð¥Ã¥¯¥¯¥ª¡¼¥È¡Ë¤â'¡Ê¥·¥ó¥°¥ë¥¯¥ª¡¼¥Æ¡¼¥·¥ç¥ó¡Ë¤ÈÆ±ÍÍ¤Ë¥¨¥¹¥±¡¼¥×¤µ¤ì¤ë¡¢¤Ê¤ó¤Æ´ª°ã¤¤¤¬¥Ù¡¼¥¹¤Ë¤¢¤Ã¤¿¤è¤¦¤Ë»×¤¨¤Þ¤¹¡£

¤½¤â¤½¤â¡¢addslashes¤ÎÍÑÅÓ¤¬INJECTIONÂÐºö¤Ê¤ó¤Æ°Õ¼±¤¬Çö¤«¤Ã¤¿(Ìµ¤«¤Ã¤¿¡©)¤Î¤À¤È»×¤¤¤Þ¤¹¤è¡£
Ã±½ã¤ËSQLÊ¸Ãæ¤Î¥ê¥Æ¥é¥ë¤ÎÃæ¤Ë¡¢¥¯¥©¡¼¥Æ¡¼¥·¥ç¥óÊ¸»ú¤¬»È¤ï¤ì¤ë²ÄÇ½À¤¬¤¢¤ë¤«¤é¡¢SQL¥¨¥é¡¼¤ª¤³¤µ¤Ê¤¤¤¿¤á¤Ë¤Ï¡¢¥¨¥¹¥±¡¼¥×¤ÎÉ¬Á³¤¬¤¢¤Ã¤Æ¡¢
ÀÎ¤ÎMySQL¤Î¼±ÊÌ»Ò¤Çµö¤µ¤ì¤Æ¤¤¤ëÊ¸»ú¤¬¡Ö±Ñ¿ô»ú¡×¤È¡Æ_¡Ç ¤È ¡Æ$¡Ç ¤Ë¸ÂÄê¤µ¤ì¤Æ¤¤¤¿¤Î¤Ç¥¨¥¹¥±¡¼¥×¤ÎÉ¬Á³¤¬Ìµ¤¤¤Ã¤Æ°Õ¼±¤¬¥Ù¡¼¥¹¤Ë¤¢¤Ã¤¿¤Î¤À¤È»×¤¤¤Þ¤¹¡£
SQLÊ¸¤ËÂÐ¤¹¤ë¥ê¥Æ¥é¥ë¤Î¥¨¥¹¥±¡¼¥×¤Ë´Ø¤·¤Æ¤Ï¡¢¥»¥¥å¥ê¥Æ¥£¤È¤«INJECTION¤Ê¤ó¤Æ³µÇ°¤¬°ìÈÌÅª¤Ë¤Ê¤ëÁ°¤Ç¤â¡¢¥×¥í¥°¥é¥Þ¤ËÂÐ¤·¤Æ¡ÖÀµ¤·¤¯¥×¥í¥°¥é¥à¤òÆ°ºî¤µ¤»¤ë°Ù¤ËÉ¬Í×¡×¤Ã¤Æ¶µ°é¤¬¤µ¤ì¤Þ¤¹¤«¤é¡£

Í¾ÃÌ¤Ç¤¹¤¬¡¢PHP¤Ë´Ø¤·¤Æ¤Ï¡¢´Ê°×WEBºîÀ®¥Ä¡¼¥ë¤Ã¤Æ°ÌÃÖÉÕ¤±¤ÇÈ¯¾Í¤·¤¿°Ù¤«magic_quote_gpc¤Ê¤ó¤Æ¤Î¤¬ºÇ½é¤«¤éÍÑ°Õ¤µ¤ì¤Æ¤¤¤¿¤¬¤¿¤á¤Ë¡¢Í¾·×¤Ëº®Íð¤ò¤â¤¿¤é¤·¤Æ¤¤¤ë¤è¤¦¤Êµ¤¤¬¤·¤Þ¤¹¡£¤³¤ì¤¬¤¿¤á¤Ë¡¢¾¯¤·Á°¤Ë¤Ïmagic_quote_gpc´Ä¶¤ÇÌµ¤¤¾ì¹ç¤Ë¤¹¤Ù¤Æ¤ÎGPC¤Ëaddslashes¤Ê¤ó¤Æ½èÍý¤¬¹Ô¤ï¤ì¤Æ¤¤¤¿Êª¤â¤¢¤Ã¤¿¤ê¤·¤Þ¤¹¡£

View more comments...

Lost Password?

Register now!