PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Aug 22, 2019 3:11 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Fun with addslashes()
PostPosted: Sun Jan 22, 2006 11:47 am 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124
In the past few years, I've listened to many debates about the merits of mysql_real_escape_string() versus addslashes(). A disturbing number of people assert that there is absolutely no difference between the two, and that both are sufficient safeguards against SQL injection in any context.

Although the difference may not matter to you, I decided to write an example of an SQL injection attack that is immune to addslashes():

http://shiflett.org/archive/184

I thought it was a fun example and wanted to share. :-)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 11:57 am 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 12:14 pm 
Offline
Forum Regular

Joined: Wed Sep 28, 2005 10:08 am
Posts: 613
Just as a side-note, your blog doesn't validate (69 errors):

http://validator.w3.org/check?uri=http: ... rchive/184

:?


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 12:29 pm 
Offline
BeerMod
User avatar

Joined: Tue Jan 13, 2004 5:58 pm
Posts: 2170
Location: Jax FL & Spokane WA USA


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 12:35 pm 
Offline
Breakbeat Nuttzer
User avatar

Joined: Wed Mar 24, 2004 8:57 am
Posts: 13098
Location: Melbourne, Australia


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 12:54 pm 
Offline
DevNet Master
User avatar

Joined: Tue Nov 02, 2004 6:43 am
Posts: 2704
Location: Ireland


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 1:22 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 3:01 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 5:08 pm 
Offline
DevNet Master

Joined: Thu Oct 06, 2005 3:57 pm
Posts: 3360


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 6:54 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 8:38 pm 
Offline
DevNet Master
User avatar

Joined: Mon Sep 19, 2005 6:24 am
Posts: 3587
Location: London


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 8:47 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 8:55 pm 
Offline
DevNet Master
User avatar

Joined: Mon Sep 19, 2005 6:24 am
Posts: 3587
Location: London
I know it's not just the one guy, but it just occured that it was a little silly for them to post "addslashes() and mysql_real_escape_string() are an equal solution to cleansing data before it's inserted in a database."

When atleast some of the difference is highlighted upon reading the php manual. :)

All other points aside regarding injection, I'd take the logs as a key point.. wouldn't want some script kiddy messing about with the format of my reports now ;)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 22, 2006 9:17 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jan 23, 2006 1:38 am 
Offline
Forum Contributor

Joined: Fri Jul 09, 2004 1:23 am
Posts: 422


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group