Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- strip- vs addslashes
- Cruella DeVille
April 22, 2006, 8:00 pm
rate this thread
I thought that if a user submitted eg a username, like this
username=siv' drop database test; I should addslashes to escape ' and "
and therefore prohibit the evil user to drop/change my database through
sql injection (my example may not be correct, but I believe it points
out that evil user can add sql commands through an input field.
But - I've been reading lots of code lately, and I see that others use
stripslashes insted of addslashes. And my question is why. What did I
miss? Has it something to do with gpc_magic_quotes?
Re: strip- vs addslashes
If magic quotes is enabled, then when data is entered via forms any
quotes are automatically quoted with backslashes. That is why most
people use the stripslashes() function. What you should be be using on
data that is to be inserted into your database is the function
mysql_real_escape_string(). This function not only escapes quotes but
other characters that could cause problems. See the manual page for
more information. <http://www.php.net/mysql_real_escape_string
- IvÃ¡n SÃ¡nchez Ortega
April 22, 2006, 10:14 pm
Re: strip- vs addslashes
Cruella DeVille wrote:
I recommend not to use addslashes to escape DB queries - please use specific
functions to do that job (such as mysql_real_escape() or pg_escape_string()
The reason for this? Different DB engines may have different quoting
conventions. If you read the MySQL and PostgreSQL manuals throughoutly,
you'll see that the SQL standard is to escape single quotes by doubling
them (a single quote becomes two single quotes, not a double quote).
A backslash-and-single quote may not be recognized by a particular SQL
engine. So, avoid using addslashes() if possible, and read the
documentation of the DB engine you're using.
Yep, magic quotes may turn data entered by the user into a gibberish of
\'. That's why people often stripslashes() the input data.
You can safely disable gpc_magic_quotes, or even stripslashes() the input
data. But only if you do check the input data, and escape it before
inputting to the DB, eval()ing it, or do any other potentially dangerous
stuff with it.
I repeat: never ever trust the user input. Always do double check that your
code escapes, checks, or cleans it. Every bit of it.
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
Fear leads to anger.
Anger leads to hate.
Hate leads to using Windows NT for mission-critical applications.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
-----END PGP SIGNATURE-----