Kohana 2.3.4 ORM sql injection protection

Question

Kohana mentions they use mysql_real_escape_string to sanitize database inputs in their documentation. However, while tasting some basic queries through a form they were entered in the database exactly as I entered them. For instance:

SELECT * FROM users WHERE username='admin' AND password='' OR ''=''

is entered into that mysql data exactly as it appears. I was expecting to see:

SELECT * FROM users WHERE username=\'admin\' AND password=\'\' OR \'\'=\'\' 

I'm using the ORM library instead of the database, but I know they work together. Also, I'm using the built in Input library ($this->input-post) to collect the data from forms. I haven't changed any controllers or libraries that relate to security.

I haven't combed the source code yet, but does Kohana escape the string and then remove the slashes before entering it into a db field? I'm somewhat convinced that this is the case, but I want to be certain.

Thanks

Answer 1

When you escape an SQL query, you are escaping the literal data so that it does not conflict with the SQL syntax, for example so that apostrophes are not interpreted as string delimiters. MySQL can store unescaped apostrophes and anything else really without the data needing to be stored with escaping in tact. It would be a mistake to store the data in its escaped form just so you would have to unescape it again after retrieving it.

Though I am not familiar with Kohana, you can rest assured that it is handling your input properly if you asked it to store a query and it give you the exact same query back.

Answer 2

Kohana ORM protects you from SQL injection automatically.