Page 1 of 1

combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 11:01 am
by gurjit
hi

is their anything wrong in combining stripslashes with mysql_real_escape_string - when inserting data

so my query would be

insert into tbl_abc (f1,f2)
values ('stripslashes(mysql_real_escape_string($var1))','stripslashes(mysql_real_escape_string($var2))')

I am doing this to avoid mysql injections - will stripslashes make me vunerable. I have added this format to all my inserts, the data is going into the database fine - but my question is whether the stripslashes and mysql_real_escape_string in one will cause problems?

In my php.ini
magic_quotes_gpc on
magic_quotes_runtime off

if i dont include 'stripslashes' then backslashes are added for single and double quotes

Re: combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 11:11 am
by pickle
It's dangerous to always run stripslashes() - not so much for database injection, but because the string might legitimately have a backslash. Also, what happens if the environment your code runs in suddenly has the magic_quotes_gpc directive turned off?

I use the get_magic_quotes_gpc() function:

Code: Select all

$var1 = (get_magic_quotes_gpc()) ? stripslashes($var1) : $var1;
$var1 = mysql_real_escape_string($var1);
This way, only slashes that were added by the magic_quotes_gpc directive get removed, and legitimate slashes stay.

Re: combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 11:49 am
by gurjit
Thanks

1. will it still prevent mysql injections?
2. combining like 'stripslashes(mysql_real_escape_string($var1)) is not a problem - except all back slashes will be prevented?

Re: combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 11:53 am
by pickle
1. It should prevent sql injections. I'm not going to go on record as definitively saying it will.
2. Yes, even backslashes users have entered.

Re: combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 11:57 am
by gurjit
What would you suggest for making the 'should' into a 'definet' for mysql injections

Re: combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 12:00 pm
by gurjit
this is what somebody tried to pass through as an injection

'declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)'

i believe it was an attempt to see if we were vunerable - however i would like to prevent this person running anything again

Re: combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 12:05 pm
by pickle
If I were in your position, I would use the code I wrote - only conditionally stripping slashes. I hesitate to say anything definite when it comes to security, but I would have no problems using my code in a production environment.

Re: combining stripslashes with mysql_real_escape_string

Posted: Wed May 26, 2010 1:14 pm
by flying_circus
pickle wrote:If I were in your position, I would use the code I wrote
I would too.

Another alternative is to use prepared statements.

Re: combining stripslashes with mysql_real_escape_string

Posted: Thu May 27, 2010 3:10 am
by gurjit
so what your trying to say is,

- the statements combined impose threat?

I have full access to the server and can ensure magic quotes will stay on.

My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.

Also I tried entering backslashes manually into a form, and then inserting into the database. The backslashes went in fine.

Re: combining stripslashes with mysql_real_escape_string

Posted: Thu May 27, 2010 9:47 am
by flying_circus
gurjit wrote:My question really is whether combining as 'stripslashes(mysql_real_escape_string($var1))' can allow the hacker to add something to the string to over come the effect of mysql injections on mysql_real_escape_string.
It's not that the hacker can add something to a string, it's that you can run into a scenario where you unintentionally unescape what you've just escaped. mysql_real_escape_string adds slashes to a string to escape certain characters that have meaning to the sql parser, stripslashes just removes the escaping.

Consider the following:

Code: Select all

<?php
  # DB
    $db = new mysqli('myhost', 'myuser', 'mypassword', 'mydb');
  
  # Good
    $val = mysqli_real_escape_string($db, "jake O' OR 1='1"); // jake O\' OR 1=\'1
    $querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
    /* SELECT `profile` FROM `blog` WHERE `id`='jake O\' OR 1=\'1'; */
  
  
  # Very Bad
    $val = stripslashes(mysqli_real_escape_string($db, "jake O' OR 1='1")); // jake O' OR 1='1
    $querystring = "SELECT `profile` FROM `blog` WHERE `id`='$val';";
    /* SELECT `profile` FROM `blog` WHERE `id`='jake O' OR 1='1'; */
?>

Re: combining stripslashes with mysql_real_escape_string

Posted: Fri May 28, 2010 9:40 am
by gurjit
I created a form and submitted the value
jake O' OR 1='1

Code: Select all

$sql_newins = "insert into test_table (te) values ('".stripslashes(mysql_real_escape_string($val2))."')";
$result_newsins = mysql_query($sql_newins, $myconnection);
echo $sql_news2;
//AND THE OUTPUT WAS:
//insert into test_table (te) values ('jake O\' OR 1=\'1 jake O\' OR 1=\'mhjg jh g')