3

In every blog/article/Q&A I have read, nobody suggested to check the value returned by mysql_real_escape_string().

The way I see it, this check is very important to ensure data consistency, because if this function fails, the value inserted in the database would be a false possitive: a boolean FALSE type-casted as string, resulting an empty string, not what you would expect.

According to the documentation:

Returns the escaped string, or FALSE on error. 

A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

The warning is good if you go in the logs to see what was happened, but would not prevent it from happening.

I know that there are very little changes to fail, but if there is at least one change it should be expected by your application.

This function will fail if:

  • developer did not connect to the database before calling this function
  • the connection to the database failed before calling this function
  • the memory of the server (where mysql client resides) is low and cannot copy the string for escaping
  • ...

This is an exemple of "normal" usage:

$db = mysql_connect() or die('Cannot connect to database');
$value = mysql_real_escape_string($_POST['value'], $db);
mysql_query('insert into tablex (value) values ("'.$value.'")', $db) or die('Cannot insert data in database');

I am using something like this (in am OO wrapper for mysql):

class mywrapper{
    // ... [code ...]

    // $this->db is the mysql link identifier
    public function escape($string)
    {
        if(mysql_real_escape_string($string, $this->db) === false)
        {
            throw new Exception('Some message');
        }
    }
} // end class    

    // I'm calling it as 
    // $myWrapper->insert('insert into tablex (value) values ("'.($myWrapper->escape($value)).'")');

This will throw an exception that will be capture by the exception handler, and most important I prevented the insertion of false positive values in the database, ensuring data consistency.

I am missing something ? I am playing safe or I am beeing paranoic ? :)

Improve this question
1
  • No-one who cares about security would even recommend calling mysql_real_escape_string ! Just don't do it, kids. Commented Apr 25, 2012 at 12:36

3 Answers 3

Reset to default
1

In a sense you are missing something as it's no longer recommended to use the mysql_ family of functions. Instead use mysqli or PDO. Both of these provide parameterised queries which will automatically escape your input data for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I now, but a lot of people are still using mysql extension, so the question is best-practice for mysql extension. I should have mentioned that.
@RaduMaris Yes, I appreciate that. I was going to add this as a comment but with all the links I thought it would read better as an answer (and you didn't specify that you knew about the other extensions...)
0

No, I don't think you're being paranoid. (or we're both paranoid)

I do think too that it's definitely a good practice to avoid sending nothing in a mysql query (pretty much as you wouldn't want to send a nothing valued $_POST variable).

Improve this answer

Comments

-1

I noted the problems you mentioned:

This is an exemple of "normal" usage:

$db = mysql_connect();

Well, at this point you should definitely check that the connection succeeded.. Also, with a good database abstraction layer you can prevent that the user "forgot" to connect to the database (because he never has to do that manually). (1).

If you lose connection in the meantime, then your query will fail, so it doesn't matter what you've sent (2).

mysql_real_escape_string is done at client side, so memory usage of mysql server is not an issue (3).

Improve this answer

1 Comment

the mysql_real_escape_string() was important ... :) I changed so it looks like a "normal" usage.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.