Page 1 of 1
combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 11:01 am
by gurjit
hi
is their anything wrong in combining stripslashes with mysql_real_escape_string - when inserting data
so my query would be
insert into tbl_abc (f1,f2)
values ('stripslashes(mysql_real_escape_string($var1))','stripslashes(mysql_real_escape_string($var2))')
I am doing this to avoid mysql injections - will stripslashes make me vunerable. I have added this format to all my inserts, the data is going into the database fine - but my question is whether the stripslashes and mysql_real_escape_string in one will cause problems?
In my php.ini
magic_quotes_gpc on
magic_quotes_runtime off
if i dont include 'stripslashes' then backslashes are added for single and double quotes
Re: combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 11:11 am
by pickle
It's dangerous to always run
stripslashes() - not so much for database injection, but because the string might legitimately have a backslash. Also, what happens if the environment your code runs in suddenly has the magic_quotes_gpc directive turned off?
I use the
get_magic_quotes_gpc() function:
Code: Select all
$var1 = (get_magic_quotes_gpc()) ? stripslashes($var1) : $var1;
$var1 = mysql_real_escape_string($var1);
This way, only slashes that were added by the magic_quotes_gpc directive get removed, and legitimate slashes stay.
Re: combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 11:49 am
by gurjit
Thanks
1. will it still prevent mysql injections?
2. combining like 'stripslashes(mysql_real_escape_string($var1)) is not a problem - except all back slashes will be prevented?
Re: combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 11:53 am
by pickle
1. It should prevent sql injections. I'm not going to go on record as definitively saying it will.
2. Yes, even backslashes users have entered.
Re: combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 11:57 am
by gurjit
What would you suggest for making the 'should' into a 'definet' for mysql injections
Re: combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 12:00 pm
by gurjit
this is what somebody tried to pass through as an injection
'declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)'
i believe it was an attempt to see if we were vunerable - however i would like to prevent this person running anything again
Re: combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 12:05 pm
by pickle
If I were in your position, I would use the code I wrote - only conditionally stripping slashes. I hesitate to say anything definite when it comes to security, but I would have no problems using my code in a production environment.
Re: combining stripslashes with mysql_real_escape_string
Posted: Wed May 26, 2010 1:14 pm
by flying_circus
pickle wrote:If I were in your position, I would use the code I wrote
I would too.
Another alternative is to use prepared statements.
Re: combining stripslashes with mysql_real_escape_string
Posted: Thu May 27, 2010 3:10 am
by gurjit
so what your trying to say is,
- the statements combined impose threat?
I have full access to the server and can ensure magic quotes will stay on.
My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.
Also I tried entering backslashes manually into a form, and then inserting into the database. The backslashes went in fine.
Re: combining stripslashes with mysql_real_escape_string
Posted: Thu May 27, 2010 9:47 am
by flying_circus
gurjit wrote:My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.
It's not that the hacker can add something to a string, it's that you can run into a scenario where you unintentionally unescape what you've just escaped. mysql_real_escape_string adds slashes to a string to escape certain characters that have meaning to the sql parser, stripslashes just removes the escaping.
Consider the following:
Code: Select all
<?php
# DB
$db = new mysqli('myhost', 'myuser', 'mypassword', 'mydb');
# Good
$val = mysqli_real_escape_string($db, "jake O' OR 1='1"); // jake O\' OR 1=\'1
$querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
/* SELECT `profile` FROM `blog` WHERE `id`='jake O\' OR 1=\'1'; */
# Very Bad
$val = stripslashes(mysqli_real_escape_string($db, "jake O' OR 1='1")); // jake O' OR 1='1
$querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
/* SELECT `profile` FROM `blog` WHERE `id`='jake O' OR 1='1'; */
?>
Re: combining stripslashes with mysql_real_escape_string
Posted: Fri May 28, 2010 9:40 am
by gurjit
I created a form and submitted the value
jake O' OR 1='1
Code: Select all
$sql_newins = "insert into test_table (te) values ('".stripslashes(mysql_real_escape_string($val2))."')";
$result_newsins = mysql_query($sql_newins, $myconnection);
echo $sql_news2;
//AND THE OUTPUT WAS:
//insert into test_table (te) values ('jake O\' OR 1=\'1 jake O\' OR 1=\'mhjg jh g')