combining stripslashes with mysql_real_escape_string
Moderator: General Moderators
combining stripslashes with mysql_real_escape_string
hi
is their anything wrong in combining stripslashes with mysql_real_escape_string - when inserting data
so my query would be
insert into tbl_abc (f1,f2)
values ('stripslashes(mysql_real_escape_string($var1))','stripslashes(mysql_real_escape_string($var2))')
I am doing this to avoid mysql injections - will stripslashes make me vunerable. I have added this format to all my inserts, the data is going into the database fine - but my question is whether the stripslashes and mysql_real_escape_string in one will cause problems?
In my php.ini
magic_quotes_gpc on
magic_quotes_runtime off
if i dont include 'stripslashes' then backslashes are added for single and double quotes
is their anything wrong in combining stripslashes with mysql_real_escape_string - when inserting data
so my query would be
insert into tbl_abc (f1,f2)
values ('stripslashes(mysql_real_escape_string($var1))','stripslashes(mysql_real_escape_string($var2))')
I am doing this to avoid mysql injections - will stripslashes make me vunerable. I have added this format to all my inserts, the data is going into the database fine - but my question is whether the stripslashes and mysql_real_escape_string in one will cause problems?
In my php.ini
magic_quotes_gpc on
magic_quotes_runtime off
if i dont include 'stripslashes' then backslashes are added for single and double quotes
Re: combining stripslashes with mysql_real_escape_string
It's dangerous to always run stripslashes() - not so much for database injection, but because the string might legitimately have a backslash. Also, what happens if the environment your code runs in suddenly has the magic_quotes_gpc directive turned off?
I use the get_magic_quotes_gpc() function:
This way, only slashes that were added by the magic_quotes_gpc directive get removed, and legitimate slashes stay.
I use the get_magic_quotes_gpc() function:
Code: Select all
$var1 = (get_magic_quotes_gpc()) ? stripslashes($var1) : $var1;
$var1 = mysql_real_escape_string($var1);Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: combining stripslashes with mysql_real_escape_string
Thanks
1. will it still prevent mysql injections?
2. combining like 'stripslashes(mysql_real_escape_string($var1)) is not a problem - except all back slashes will be prevented?
1. will it still prevent mysql injections?
2. combining like 'stripslashes(mysql_real_escape_string($var1)) is not a problem - except all back slashes will be prevented?
Last edited by gurjit on Wed May 26, 2010 11:53 am, edited 1 time in total.
Re: combining stripslashes with mysql_real_escape_string
1. It should prevent sql injections. I'm not going to go on record as definitively saying it will.
2. Yes, even backslashes users have entered.
2. Yes, even backslashes users have entered.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: combining stripslashes with mysql_real_escape_string
What would you suggest for making the 'should' into a 'definet' for mysql injections
Re: combining stripslashes with mysql_real_escape_string
this is what somebody tried to pass through as an injection
'declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)'
i believe it was an attempt to see if we were vunerable - however i would like to prevent this person running anything again
'declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)'
i believe it was an attempt to see if we were vunerable - however i would like to prevent this person running anything again
Re: combining stripslashes with mysql_real_escape_string
If I were in your position, I would use the code I wrote - only conditionally stripping slashes. I hesitate to say anything definite when it comes to security, but I would have no problems using my code in a production environment.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: combining stripslashes with mysql_real_escape_string
I would too.pickle wrote:If I were in your position, I would use the code I wrote
Another alternative is to use prepared statements.
Re: combining stripslashes with mysql_real_escape_string
so what your trying to say is,
- the statements combined impose threat?
I have full access to the server and can ensure magic quotes will stay on.
My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.
Also I tried entering backslashes manually into a form, and then inserting into the database. The backslashes went in fine.
- the statements combined impose threat?
I have full access to the server and can ensure magic quotes will stay on.
My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.
Also I tried entering backslashes manually into a form, and then inserting into the database. The backslashes went in fine.
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: combining stripslashes with mysql_real_escape_string
It's not that the hacker can add something to a string, it's that you can run into a scenario where you unintentionally unescape what you've just escaped. mysql_real_escape_string adds slashes to a string to escape certain characters that have meaning to the sql parser, stripslashes just removes the escaping.gurjit wrote:My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.
Consider the following:
Code: Select all
<?php
# DB
$db = new mysqli('myhost', 'myuser', 'mypassword', 'mydb');
# Good
$val = mysqli_real_escape_string($db, "jake O' OR 1='1"); // jake O\' OR 1=\'1
$querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
/* SELECT `profile` FROM `blog` WHERE `id`='jake O\' OR 1=\'1'; */
# Very Bad
$val = stripslashes(mysqli_real_escape_string($db, "jake O' OR 1='1")); // jake O' OR 1='1
$querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
/* SELECT `profile` FROM `blog` WHERE `id`='jake O' OR 1='1'; */
?>Re: combining stripslashes with mysql_real_escape_string
I created a form and submitted the value
jake O' OR 1='1
jake O' OR 1='1
Code: Select all
$sql_newins = "insert into test_table (te) values ('".stripslashes(mysql_real_escape_string($val2))."')";
$result_newsins = mysql_query($sql_newins, $myconnection);
echo $sql_news2;
//AND THE OUTPUT WAS:
//insert into test_table (te) values ('jake O\' OR 1=\'1 jake O\' OR 1=\'mhjg jh g')