strip- vs addslashes

Re: strip- vs addslashes

Cruella DeVille wrote:[color=blue]
> I must have som errors in my understanding of strip- vs addslashes.
> I thought that if a user submitted eg a username, like this
> username=siv' drop database test; I should addslashes to escape ' and "
> and therefore prohibit the evil user to drop/change my database through
> sql injection (my example may not be correct, but I believe it points
> out that evil user can add sql commands through an input field.
>
> But - I've been reading lots of code lately, and I see that others use
> stripslashes insted of addslashes. And my question is why. What did I
> miss? Has it something to do with gpc_magic_quote s?[/color]

If magic quotes is enabled, then when data is entered via forms any
quotes are automatically quoted with backslashes. That is why most
people use the stripslashes() function. What you should be be using on
data that is to be inserted into your database is the function
mysql_real_esca pe_string(). This function not only escapes quotes but
other characters that could cause problems. See the manual page for
more information. <http://www.php.net/mysql_real_esca pe_string>

Ken

Re: strip- vs addslashes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cruella DeVille wrote:
[color=blue]
> I must have som errors in my understanding of strip- vs addslashes.
> I thought that if a user submitted eg a username, like this
> username=siv' drop database test; I should addslashes to escape ' and "
> and therefore prohibit the evil user to drop/change my database through
> sql injection (my example may not be correct, but I believe it points
> out that evil user can add sql commands through an input field.[/color]

I recommend not to use addslashes to escape DB queries - please use specific
functions to do that job (such as mysql_real_esca pe() or pg_escape_strin g()
IIRC).

The reason for this? Different DB engines may have different quoting
conventions. If you read the MySQL and PostgreSQL manuals throughoutly,
you'll see that the SQL standard is to escape single quotes by doubling
them (a single quote becomes two single quotes, not a double quote).

A backslash-and-single quote may not be recognized by a particular SQL
engine. So, avoid using addslashes() if possible, and read the
documentation of the DB engine you're using.
[color=blue]
> But - I've been reading lots of code lately, and I see that others use
> stripslashes insted of addslashes. And my question is why. What did I
> miss? Has it something to do with gpc_magic_quote s?[/color]

Yep, magic quotes may turn data entered by the user into a gibberish of
\\\\\'. That's why people often stripslashes() the input data.

You can safely disable gpc_magic_quote s, or even stripslashes() the input
data. But only if you do check the input data, and escape it before
inputting to the DB, eval()ing it, or do any other potentially dangerous
stuff with it.

I repeat: never ever trust the user input. Always do double check that your
code escapes, checks, or cleans it. Every bit of it.

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Fear leads to anger.
Anger leads to hate.
Hate leads to using Windows NT for mission-critical applications.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFESqqu3jc Q2mg3Pc8RAmVQAJ 47/e2mgu6IfX1jId13 lAOzF4XU8ACgiDp 7
mDFjhe5U6FEdOdw Gsd2EHZw=
=QD14
-----END PGP SIGNATURE-----