1

I have a problem. When I do an insert like so in php:

sql = "INSERT INTO mytable (id, value)
VALUES ('sds83','".$EncryptedString."')";

When I run the following query it sometimes works and sometimes it doesn't. The problem is that sometimes the $EncryptedString contains characters like this: ')') which causes syntax errors. The $EncryptedString contains binary data, how can I go about this issue?

Improve this question

3 Answers 3

Reset to default
2

Escape your encrypted string

mysql-real-escape-string

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

See StripSlashes

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

The original string was already escaped, but then it was encrypted using mcrypt and the new encrypted value was placed in $EncryptedString. If I escape it again will that preserve all the characters so the string can be decrypted when I pull the data from the db?
No, you wouldn't escape it when getting the data out, you would use stripslashes php.net/manual/en/function.stripslashes.php and everything would be fine
I don't get it. Are you recommending to escape the string or stripslashes. I don't think either would work because it would change the value of $EncryptedString. If I escape or stripslashes when inserting $EncryptedString it would change the value of the encrypted string, then when I pull it from the database later on it will be missing slashes which would be crucial in decrypting the string. Am I missing something? or does the mysql escape and strip slashes work differently?
Please can you post what a sample of the $EncryptedString
I was using mcrypt to store the encrypted value in $EncryptedString. After searching online a bit I found you can use base64_encode to make it more elegant to insert into mysql. Then just use base64_decode when you need the value back.
|
1

Use PDO (or another database layer) that supports prepared statements.

When you use query parameters instead of executing raw SQL, you gain speed improvements (the database only has to plan and optimize for one query) and all the data you write to it's parameters are immediately and completely isolated from the query itself.

It's surprising how many people don't have this in place! Take the initiative and update your code.

Improve this answer

Comments

0

You need to escape your $EncryptedString. Depending on the type of MySQL connection object/functions you are using, it could be like this:

$sql = "
    INSERT INTO mytable (id, value)
    VALUES ('sds83','" . mysql_real_escape_string($EncryptedString) . "')";
Improve this answer

2 Comments

Wouldn't that change the value of $EncryptedString and I wouldn't be able to decrypt the string in the future?
No, what he needs to do is use an interface to mysql that isn't 10 years old, and supports parameters.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.