Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Jul 2009
    Location
    Most of the time - internet
    Posts
    85
    Thanks
    0
    Thanked 1 Time in 1 Post

    Exclamation Apostrophe issue

    Hi,

    I was running my website off a Ubuntu box with XAMPP on it for months and today I built my own web server but I am having SQL issues.

    When I had XAMPP; SQL could process apostrophe's in queries just fine but now that I have custom built my web server (with Apache, PHP, SQL etc), SQL throws errors if the query has a apostrophe in it.
    I shouldn't have to use mysql_real_escape_string or anything because I wasn't with XAMPP so I'm guessing it's SQL's problem =/

    What is going on?! o.0
    How can I fix this?

    Thanks.

  • #2
    Super Moderator guelphdad's Avatar
    Join Date
    Mar 2006
    Location
    St. Catharines, Ontario Canada
    Posts
    2,634
    Thanks
    4
    Thanked 148 Times in 139 Posts
    you should be using mysql_real_escape_string to sanitize your incoming data, otherwise you are leaving yourself vulnerable to sql injections.

    Also to clarify you realize that SQL is the language itself and SQL Server or MySQL or Oracle are the database applications right?

  • #3
    New Coder
    Join Date
    Jul 2009
    Location
    Most of the time - internet
    Posts
    85
    Thanks
    0
    Thanked 1 Time in 1 Post
    Sorry, I mean MySQL (5.1.49)

    I shouldn't have to use mysql_real_escape_string because when I was running XAMPP (which also runs MySQL 5.0.67) I was not having this issue - is there something in the configuration that can alter this? I have had a look but was not very successful.

    Thanks for your reply guelphdad

  • #4
    Super Moderator guelphdad's Avatar
    Join Date
    Mar 2006
    Location
    St. Catharines, Ontario Canada
    Posts
    2,634
    Thanks
    4
    Thanked 148 Times in 139 Posts
    single quotes need to be escaped either with a second single quote or a backslash or magic_quotes turned on. you had to be doing one of those things with the previous install. There is no difference between what you were running before and what you are running now with the exception of you choosing to install the three applications (that were already installed) and configure them by hand, Perhaps XAMPP turns on magic quotes or uses MRES by default.

    If you don't want to run MRES that's up to you, if you don't sanitize your data you are leaving yourself open to sql injection and cross server scripting attacks.

    that's totally up to you of course.

  • #5
    New Coder
    Join Date
    Jul 2009
    Location
    Most of the time - internet
    Posts
    85
    Thanks
    0
    Thanked 1 Time in 1 Post
    Ok thanks heaps guelphdad

    I am going to go with the dodgy way (not sanitizing and just using magic_quotes) because I monitor logs alot and all my users are close friends so I don't really mind

  • #6
    Super Moderator guelphdad's Avatar
    Join Date
    Mar 2006
    Location
    St. Catharines, Ontario Canada
    Posts
    2,634
    Thanks
    4
    Thanked 148 Times in 139 Posts
    Is your server available over the net? Then you are vulnerable to XSS and SQLI.

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by dacoder96 View Post
    Ok thanks heaps guelphdad

    I am going to go with the dodgy way (not sanitizing and just using magic_quotes) because I monitor logs alot and all my users are close friends so I don't really mind
    magic_quotes is a deprecated feature. I'm expecting it to be gone in the next major release of PHP which means you're dodgy practice now becomes a complete vulnerability.
    I wouldn't be surprised if its sooner, the next minor release of 5.4 will include the removal of register_globals, register_long_arrays, and allow_call_time_pass_reference, which will of course remove some old functions (particularly the old session ones). If they are axing the register_globals, I won't be surprised if the magic_quotes_gpc and magic_quotes_runtime are also nuked in that release.

    Monitoring your logs is a reactive approach. If you take a proactive one you won't need to be constantly monitoring the logs as much as just checking in.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •