0

I created the following script in procedural mysqli because I am just starting from the old mysql. I am not sure about the kinds of quotes around the query to prevent injections. Some users post examples with ' others with ", so now I'm confused. Can I get injected or attacked with the following code and what are the correct kinds of quotes?

$username = mysqli_real_escape_string($database,$_POST['form_user']);
$password = mysqli_real_escape_string($database,$_POST['form_password']);

$members = "SELECT * FROM `accounts` WHERE `member` = '$username'";
$result = mysqli_query($database,$members);

I am just a beginner so object oriented or PDO or prepared statements are difficult for me at this moment so I just need to improve this script and make it safer but with so many examples and symbols around query vars I am confused about what is and is not safe.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • 1
    To improve that script and make it safer you should use prepared statements - they aren't that hard to understand and if you wrote the above it won't take long to figure out. Your first step should be to format your code properly - the above is very hard to read. – scrowler Apr 16 '15 at 02:42
  • Is this your code or did you get it from somewhere else? If you could highlight what areas you are specifically concerned about, that would help in answering your question. – Juan Carlos Farah Apr 16 '15 at 02:42
  • `mysql_real_escape_string`. or just go straight to parameter binding. – pala_ Apr 16 '15 at 03:17
  • If prepared statements are too hard for you, use https://github.com/resonantcore/lib/blob/develop/src/DB.php (wiki: https://github.com/resonantcore/lib/wiki/DB) – Scott Arciszewski Apr 16 '15 at 18:13

1 Answers1

1

mysqli_real_escape_string defers to the underlying C mysql library's mysql_real_escape_string function (or equivalent), which encodes the characters:

\, ', ", NUL (ASCII 0), \n, \r, and Control+Z

So, both ' and " are being escaped. That means you can use either for delimiting your string in your query, MySQL allows both double and single quoted strings equally.

I know you know this, but you really really should be getting on the prepared-statement bandwagon now instead of escaping.

Community
  • 1
  • 1
deceze
  • 510,633
  • 85
  • 743
  • 889
  • The question is if I use procedural in query what is the safest way about symbuls used like ' " and ` what to use what is unsafe what is better. I forgot the ` –  Apr 16 '15 at 13:15
  • \` is for delimiting column and table names and cannot be used in conjunction with real_escape_string at all. – deceze Apr 16 '15 at 14:42
  • That is what I am talking about, if this symbol cannot be used then the correct way when using real_scape_string should be $members = "SELECT * FROM accounts WHERE member = '$username'"; without the ` symbol ? Is this because of safety ? –  Apr 16 '15 at 15:35
  • No. ` is used if you need to delimit column names. It's fine for using on **column names**. It's not always necessary, but sometimes you need it, for example if your column name contains a special character and must be delimited. It doesn't really have anything to do with real_escape_string or security, since you're not putting any user input into column names, ***right.....!?*** – deceze Apr 16 '15 at 15:47
  • so this is absolutly correct? // $members = "SELECT * FROM `accounts` WHERE `member` = '$username'"; sorry the ` around accounts and member is not shown –  Apr 16 '15 at 15:52