strip- vs addslashes

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I must have som errors in my understanding of strip- vs addslashes.
I thought that if a user submitted eg a username, like this
username=siv' drop database test; I should addslashes to escape ' and "
and therefore prohibit the evil user to drop/change my database through
sql injection (my example may not be correct, but I believe it points
out that evil user can add sql commands through an input field.

But - I've been reading lots of code lately, and I see that others use
stripslashes insted of addslashes. And my question is why. What did I
miss? Has it something to do with gpc_magic_quotes?


Re: strip- vs addslashes

Cruella DeVille wrote:
Quoted text here. Click to load it

If magic quotes is enabled, then when data is entered via forms any
quotes are automatically quoted with backslashes. That is why most
people use the stripslashes() function. What you should be be using on
data that is to be inserted into your database is the function
mysql_real_escape_string(). This function not only escapes quotes but
other characters that could cause problems. See the manual page for
more information. <


Re: strip- vs addslashes

Hash: SHA1

Cruella DeVille wrote:

Quoted text here. Click to load it

I recommend not to use addslashes to escape DB queries - please use specific
functions to do that job (such as mysql_real_escape() or pg_escape_string()

The reason for this? Different DB engines may have different quoting
conventions. If you read the MySQL and PostgreSQL manuals throughoutly,
you'll see that the SQL standard is to escape single quotes by doubling
them (a single quote becomes two single quotes, not a double quote).

A backslash-and-single quote may not be recognized by a particular SQL
engine. So, avoid using addslashes() if possible, and read the
documentation of the DB engine you're using.

Quoted text here. Click to load it

Yep, magic quotes may turn data entered by the user into a gibberish of
\'. That's why people often stripslashes() the input data.

You can safely disable gpc_magic_quotes, or even stripslashes() the input
data. But only if you do check the input data, and escape it before
inputting to the DB, eval()ing it, or do any other potentially dangerous
stuff with it.

I repeat: never ever trust the user input. Always do double check that your
code escapes, checks, or cleans it. Every bit of it.

- --  
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Fear leads to anger.
Anger leads to hate.
Hate leads to using Windows NT for mission-critical applications.
Version: GnuPG v1.4.3 (GNU/Linux)


Site Timeline