I know that you cure all of the stuff with mysql_real_escape_string() (and with htmlspecialchars()), but I want to know the symbols that cause all this mess everyone wants to get rid of?
The thing here is, that we here had to transfer a website not built by us from one host to another.
It has been coded from ground up, to utilize php's now deprecated and never loved one - magic_quotes.
After the host change there have been php.ini changes also, we encountered a lot of unexpected results. We don't have access to php.ini, there is no user.ini (5.2.x) and the host is is not responsive enough to enable us some extra features. There is a problem with hosting services here in Latvia, a major one.
But yeah, that's off-topic already. I simply want to know, which symbols are the ones that with no escaping, no magic quotes and no protection can cause all this mess?
Plus, there were error when text contained stuff like - /ls which resembles UNIX (the host OS) directory listing command - Method Not Implemented.
And it looks like the website interacts with database in CLI environment, hence the /ls problem. And I want to confirm that whenever you input a value that starts with / and follows UNIX command- "Method Not Implemented" errors comes up.
P.S. I'm not looking for a solution, I've already fixed the error. Just want to know the symbols.
Update to clarify
1) As of writing the question, I was calling CLI what looks to be socket call- unix-domain / TCP. Live and learn!
2) If you read the question fully, you'll see that I'm fixing bugs/holes left behind other developers. Sine we took over this clients IT servicing, they wanted us to take over their website too.
3) Because they have paid a lot of money for current website, they don't want to pay even more for a new one on a newer, better built system.
4) The connection line inside the scripts is - $this->db = DB::connect('mysql://'._DB_USER.':'._DB_PASS.'@'._DB_HOST.'/'._DB_NAME.''); - unix-domain I guess.
From the PHP Manual:
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
Each DB will have its own metacharacters as extensions to standard SQL syntax. Some will use -- for comments, some use c-style /* */, etc... Each DB has its own escaping requirements, which is why there's an escape function for every DB type in PHP. What works for MySQL may be completely useless for (say) Oracle.
The only "definitive" list of characters will be the ones listed in the SQL standards. But using only those in your own custom escape function would be useless, because it won't include the DB-specific non-standard metacharacters that the DB understands.
来源:https://stackoverflow.com/questions/7519717/the-symbols-i-should-be-aware-of-for-sql-injection