Page 1 of 1

addslashes and strip_tags

Posted: Tue Jan 13, 2009 8:35 am
by ernest1a
I am looking at log in tutorial and I am wondering about all those protect functions.
function protect($string){
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = addslashes($string);

Isn't enough in case of $username to just add cases in which user can not complete registration and need to fill incorrect data again before it is added into database? For example if following is included then it is not necessary to include protect function for $username and $password, right?:
if(!ctype_alnum($username)){
$errors[] = "Username can only contain numbers and letters!";

When we add this case user can not put anything into database if data is not correct, so why would we need to protect anything again?

Isn't necessary to almost every time add also a case if data are not correct in which user can not complete registration. If we weren't put that case then user would complete registration, but when he/she will try to log in he won't be able to log in because his/her $username was changed via protect function. Am I right?

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 8:42 am
by blue-printf
the need of mysql_real_escape_string() is just escaping special chars for the mysql query string. so it wont break the query string. (SELECT * FROM somewhere WHERE 'user'name') . addslashes doesnt escape all special chars for mysql so you should just use mysql_real.... for escaping special chars in a query string.

if you allow all chars to be in a username then theres no problem as long as you use mysql_real... to escape the string.

i use a class for my database acces. in this class i have a method which automaticly real escapes the query string (the variables) string. this makes it easier in the main script so it wont clutter up with big escaping functions.

but if you want to limit the useable chars in a username you'll have the check for wrong chars. but that doesnt realy hav e to do anything with mysql escaping. if you want to limit the chars in a username you should do this while registering. and telling the user he cant use the given chars. this is not something you should check every time your going to check if a username is in your db



a db class would be very usefull for your entire project. this is part of a method in my db class. this escapes the query i want to perform:

Code: Select all

 
if( func_num_args() > 1)
    {
    $replacevals = func_get_args();
    array_shift($replacevals);  // remove query sting from array. 
                
    // apply the real escape function to all elements
    $replacevals = array_map( 'mysql_real_escape_string' , $replacevals);
                
    // build query
    $query = vsprintf($query , $replacevals);
    }   
 
its just part of the method, but its shows how you can automate the real escaping. so you dont have to worry about it in the rest of youre project.

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 9:30 am
by ernest1a
thank you for your post but I put a different question. My question was what if we use first
if(!ctype_alnum($username)){
$errors[] = "Username can only contain numbers and letters!";

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 9:42 am
by blue-printf
i get your question.

ive you check username on register. you CAN checkfor possible invalid data, but to make your code more adaptable for instance if you want to change code in the future you schouldnt rely on code that checked(past tence, because it isnt stil doing this)! a username.
its better to do a general check in places you know have a safety issue. like your database. if you real escape your database input it cant break your input. so if you change you policy about usernames you dont have a safety issue, and you might have if you just rely on the fact that you once checked the username for bad input.


offcourse it's a good idea to limit the available chars in a username. but dont use it as a safety check.

for safety you should use abstraction layers like a databse layer. (for instance a database class as i mentioned, which takes care of the safety of your database queries, even when you take a different policy about for instance user names).


hope you get what i mean. (and i hope i get what you ment)

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 5:29 pm
by josh
You wouldn't need stripslashes if you disabled magic quotes.

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 5:55 pm
by Syntac
jshpro2 wrote:You wouldn't need stripslashes if you disabled magic quotes.
Who said anything about stripslashes..?

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 6:18 pm
by josh
Uh, the thread title & OP?

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 7:24 pm
by Syntac
Well, I just did a page search for "stripslashes" and nothing came up except what you and I just posted, so... ;)

Re: addslashes and strip_tags

Posted: Tue Jan 13, 2009 7:49 pm
by josh
I mis-read the title.