are stripslashes() prodect from sql injection?

[red fox]

hi everyone

8ELECT * FROM example WHERE sd ="stripslashes($_POST['Company_name'])";
in this case are stripslashes() prodect from sql injection

please help

thanks in advanced for your help

regards

red fox

[gesf]

From manual (stripslashes): An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.

So... let's say... nah!

Addslashes, it is a security precaution (when magic_quotes_gpc is off).
You don't need to use it all the time, so you can use this lil' piece of code (from PHPBB).
When magic_quotes_gpc is on, the addslashes() will run on all GET, POST, and COOKIE data, so you don't have to use it.

Code: Select all

<?php

if(!get_magic_quotes_gpc()) {
   if(is_array($_POST)) {
      while(list($k, $v) = each($_POST)) {
         if(is_array($_POST[$k])) {
            while(list($k2, $v2) = each($_POST[$k])) {
               $_POST[$k][$k2] = addslashes($v2);
            }
            @reset($_POST[$k]);
         } else {
            $_POST[$k] = addslashes($v);
         }
      }
      @reset($_POST);
   }
}

?>

You can do the same for $_GET and $_COOKIE arrays too.

[gavin0]

do I need to use stripslashes when magic_quotes_gpc is on? how about trim?

[AeroX]

My Version:

Code: Select all

<?php
if( !function_exists( "get_magic_quotes_gpc" ) || !get_magic_quotes_gpc() )
{
   foreach( Array( $_GET, $_POST, $_COOKIE ) as $_K => &$_V )
   {
      if( is_array( $_V ) )
      {
         foreach( $_V as $k => &$v )
         {
            if( is_array( $v ) )
            {
               foreach( $v as $k2 => &$v2 )
               {
                  $v2 = addslashes( $v2 );
               }
               @reset( $v );
            }
            else
            {
               $v = addslashes( $v );
            }
         }
         @reset( $_V );
      }
   }
}
?>

[AeroX]

No stripslashes() is not protection from SQL injections, if anything it help them by removing automaticly added slashes from the code that they are tring to inject.

addslashes() is some protection from SQL injections, but not total.
You sould also try using the functions provided in the mysql extension for making user data safer.

You should also try to use eather gesf's example or mine to automaticly add slashes to the data to try and make it safer.