ID:156936
 
How would I go about ensuring my SQL statements are sanitised safely in BYOND without having to run the query through a PHP script?

Has anyone released a demo doing this? I'm sure I saw something that'd do it ~1 year ago.

Thanks.
In response to Ripiz
Posting a link to the library that I'm using isn't really going to help me.

I'm wanting to know what said library does to sanitize the SQL - whether it's just calling MySQL's mysql_real_escape_string function on it. (Which is not adequate SQL sanitizing)
In response to Murrawhip
Look at the documentation for the DB library. Or if you're up for a bit more reading check out my article on the subject.
In response to Nadrew
I've read the documentation, and I've read your article. Both very helpful for starting to use MySQL with BYOND, sure, but again, this doesn't answer my initial sanitising SQL question o.O

Escaping ' (as mentioned in your article) isn't the only thing that needs to be done to sanitize SQL statements. My question, in a nutshell, is:

What exactly does _dm_db_quote() do? Then I can sanitize against the rest.
In response to Murrawhip
It calls the internal Quote() function from libmysql, which is a sanitizing function. The ' thing was an example of what it changes, it should work for everything.

You could have saved yourself plenty of time by simply testing the function.
In response to Nadrew
Testing the function against every known method of SQL injection? No, I probably couldn't have done that.
And if the Quote function from libmysql worked for everything, then there wouldn't be SQL injection problems with people's websites when they only use PHP's mysql_real_escape_string.

Now that I know Dantom.DB uses libmysql's quote function, I can go ahead and research what it doesn't do for sanitizing SQL.

Thank you for your time.
In response to Murrawhip
Murrawhip wrote:
And if the Quote function from libmysql worked for everything, then there wouldn't be SQL injection problems with people's websites when they only use PHP's mysql_real_escape_string.

There should be no injection problems when using mysql_real_escape_string. If there are, it's probably because they forgot to use it in some space. Can you provide any source saying that mysql_real_escape_string is still vulnerable to SQL injection?
In response to Airjoe
mysql_real_escape_string only escapes \x00, \n, \r, \, ', " and \x1a.
It doesn't escape wildcard characters such as %, so if you were using a LIKE statement you'd have to escape it manually.

http://php.net/mysql_real_escape_string
'n
http://php.net/manual/en/security.database.sql-injection.php
In response to Murrawhip
Yeah, but you can't use % for injection attacks without being able to use the characters mysql_real_escape_string() filters. I have yet to come across an instance where the quote() feature of libmysql isn't enough to stop injection.
In response to Nadrew
I'm not sure what you mean by "the characters mysql_real_escape_string() filters", but:
You could use the unescaped % character in a LIKE statement to return a full result set from the database instead of 1 or 2 rows.
Hello millions of rows? Would you like to come in? Please wait for a while, I just need to download you.
In response to Murrawhip
LIMIT [offset],[maxrows] ...Fixed.
In response to Leur
Is it still SQL Injection?
Yes.
My point remains valid.