combining stripslashes with mysql_real_escape_string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
gurjit
Forum Contributor
Posts: 314
Joined: Thu May 15, 2003 11:53 am
Location: UK

combining stripslashes with mysql_real_escape_string

Post by gurjit »

hi

is their anything wrong in combining stripslashes with mysql_real_escape_string - when inserting data

so my query would be

insert into tbl_abc (f1,f2)
values ('stripslashes(mysql_real_escape_string($var1))','stripslashes(mysql_real_escape_string($var2))')

I am doing this to avoid mysql injections - will stripslashes make me vunerable. I have added this format to all my inserts, the data is going into the database fine - but my question is whether the stripslashes and mysql_real_escape_string in one will cause problems?

In my php.ini
magic_quotes_gpc on
magic_quotes_runtime off

if i dont include 'stripslashes' then backslashes are added for single and double quotes
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: combining stripslashes with mysql_real_escape_string

Post by pickle »

It's dangerous to always run stripslashes() - not so much for database injection, but because the string might legitimately have a backslash. Also, what happens if the environment your code runs in suddenly has the magic_quotes_gpc directive turned off?

I use the get_magic_quotes_gpc() function:

Code: Select all

$var1 = (get_magic_quotes_gpc()) ? stripslashes($var1) : $var1;
$var1 = mysql_real_escape_string($var1);
This way, only slashes that were added by the magic_quotes_gpc directive get removed, and legitimate slashes stay.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
gurjit
Forum Contributor
Posts: 314
Joined: Thu May 15, 2003 11:53 am
Location: UK

Re: combining stripslashes with mysql_real_escape_string

Post by gurjit »

Thanks

1. will it still prevent mysql injections?
2. combining like 'stripslashes(mysql_real_escape_string($var1)) is not a problem - except all back slashes will be prevented?
Last edited by gurjit on Wed May 26, 2010 11:53 am, edited 1 time in total.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: combining stripslashes with mysql_real_escape_string

Post by pickle »

1. It should prevent sql injections. I'm not going to go on record as definitively saying it will.
2. Yes, even backslashes users have entered.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
gurjit
Forum Contributor
Posts: 314
Joined: Thu May 15, 2003 11:53 am
Location: UK

Re: combining stripslashes with mysql_real_escape_string

Post by gurjit »

What would you suggest for making the 'should' into a 'definet' for mysql injections
User avatar
gurjit
Forum Contributor
Posts: 314
Joined: Thu May 15, 2003 11:53 am
Location: UK

Re: combining stripslashes with mysql_real_escape_string

Post by gurjit »

this is what somebody tried to pass through as an injection

'declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)'

i believe it was an attempt to see if we were vunerable - however i would like to prevent this person running anything again
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: combining stripslashes with mysql_real_escape_string

Post by pickle »

If I were in your position, I would use the code I wrote - only conditionally stripping slashes. I hesitate to say anything definite when it comes to security, but I would have no problems using my code in a production environment.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: combining stripslashes with mysql_real_escape_string

Post by flying_circus »

pickle wrote:If I were in your position, I would use the code I wrote
I would too.

Another alternative is to use prepared statements.
User avatar
gurjit
Forum Contributor
Posts: 314
Joined: Thu May 15, 2003 11:53 am
Location: UK

Re: combining stripslashes with mysql_real_escape_string

Post by gurjit »

so what your trying to say is,

- the statements combined impose threat?

I have full access to the server and can ensure magic quotes will stay on.

My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.

Also I tried entering backslashes manually into a form, and then inserting into the database. The backslashes went in fine.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: combining stripslashes with mysql_real_escape_string

Post by flying_circus »

gurjit wrote:My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.
It's not that the hacker can add something to a string, it's that you can run into a scenario where you unintentionally unescape what you've just escaped. mysql_real_escape_string adds slashes to a string to escape certain characters that have meaning to the sql parser, stripslashes just removes the escaping.

Consider the following:

Code: Select all

<?php
  # DB
    $db = new mysqli('myhost', 'myuser', 'mypassword', 'mydb');
  
  # Good
    $val = mysqli_real_escape_string($db, "jake O' OR 1='1"); // jake O\' OR 1=\'1
    $querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
    /* SELECT `profile` FROM `blog` WHERE `id`='jake O\' OR 1=\'1'; */
  
  
  # Very Bad
    $val = stripslashes(mysqli_real_escape_string($db, "jake O' OR 1='1")); // jake O' OR 1='1
    $querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
    /* SELECT `profile` FROM `blog` WHERE `id`='jake O' OR 1='1'; */
?>
User avatar
gurjit
Forum Contributor
Posts: 314
Joined: Thu May 15, 2003 11:53 am
Location: UK

Re: combining stripslashes with mysql_real_escape_string

Post by gurjit »

I created a form and submitted the value
jake O' OR 1='1

Code: Select all

$sql_newins = "insert into test_table (te) values ('".stripslashes(mysql_real_escape_string($val2))."')";
$result_newsins = mysql_query($sql_newins, $myconnection);
echo $sql_news2;
//AND THE OUTPUT WAS:
//insert into test_table (te) values ('jake O\' OR 1=\'1 jake O\' OR 1=\'mhjg jh g') 
Post Reply