Apostrophe issue

dacoder96 · 08-20-2011, 12:18 PM

Hi,

I was running my website off a Ubuntu box with XAMPP on it for months and today I built my own web server but I am having SQL issues.

When I had XAMPP; SQL could process apostrophe's in queries just fine but now that I have custom built my web server (with Apache, PHP, SQL etc), SQL throws errors if the query has a apostrophe in it.
I shouldn't have to use mysql_real_escape_string or anything because I wasn't with XAMPP so I'm guessing it's SQL's problem =/

What is going on?! o.0
How can I fix this?

Thanks.

guelphdad · 08-20-2011, 02:21 PM

you should be using mysql_real_escape_string to sanitize your incoming data, otherwise you are leaving yourself vulnerable to sql injections.

Also to clarify you realize that SQL is the language itself and SQL Server or MySQL or Oracle are the database applications right?

dacoder96 · 08-21-2011, 12:50 AM

Sorry, I mean MySQL (5.1.49)

I shouldn't have to use mysql_real_escape_string because when I was running XAMPP (which also runs MySQL 5.0.67) I was not having this issue - is there something in the configuration that can alter this? I have had a look but was not very successful.

Thanks for your reply guelphdad

guelphdad · 08-21-2011, 02:48 AM

single quotes need to be escaped either with a second single quote or a backslash or magic_quotes turned on. you had to be doing one of those things with the previous install. There is no difference between what you were running before and what you are running now with the exception of you choosing to install the three applications (that were already installed) and configure them by hand, Perhaps XAMPP turns on magic quotes or uses MRES by default.

If you don't want to run MRES that's up to you, if you don't sanitize your data you are leaving yourself open to sql injection and cross server scripting attacks.

that's totally up to you of course.

dacoder96 · 08-21-2011, 03:33 AM

Ok thanks heaps guelphdad

I am going to go with the dodgy way (not sanitizing and just using magic_quotes) because I monitor logs alot and all my users are close friends so I don't really mind

guelphdad · 08-21-2011, 05:03 AM

Is your server available over the net? Then you are vulnerable to XSS and SQLI.

Fou-Lu · 08-21-2011, 05:15 PM

Quote:

Originally Posted by dacoder96

Ok thanks heaps guelphdad

I am going to go with the dodgy way (not sanitizing and just using magic_quotes) because I monitor logs alot and all my users are close friends so I don't really mind

magic_quotes is a deprecated feature. I'm expecting it to be gone in the next major release of PHP which means you're dodgy practice now becomes a complete vulnerability.
I wouldn't be surprised if its sooner, the next minor release of 5.4 will include the removal of register_globals, register_long_arrays, and allow_call_time_pass_reference, which will of course remove some old functions (particularly the old session ones). If they are axing the register_globals, I won't be surprised if the magic_quotes_gpc and magic_quotes_runtime are also nuked in that release.

Monitoring your logs is a reactive approach. If you take a proactive one you won't need to be constantly monitoring the logs as much as just checking in.