8ELECT * FROM example WHERE sd ="stripslashes($_POST['Company_name'])";
in this case are stripslashes() prodect from sql injection
please help
thanks in advanced for your help
regards
red fox
are stripslashes() prodect from sql injection?
Moderators: egami, macek, gesf
From manual (stripslashes): An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.
So... let's say... nah!
Addslashes, it is a security precaution (when magic_quotes_gpc is off).
You don't need to use it all the time, so you can use this lil' piece of code (from PHPBB).
When magic_quotes_gpc is on, the addslashes() will run on all GET, POST, and COOKIE data, so you don't have to use it.You can do the same for $_GET and $_COOKIE arrays too.
So... let's say... nah!
Addslashes, it is a security precaution (when magic_quotes_gpc is off).
You don't need to use it all the time, so you can use this lil' piece of code (from PHPBB).
When magic_quotes_gpc is on, the addslashes() will run on all GET, POST, and COOKIE data, so you don't have to use it.
Code: Select all
<?php
if(!get_magic_quotes_gpc()) {
if(is_array($_POST)) {
while(list($k, $v) = each($_POST)) {
if(is_array($_POST[$k])) {
while(list($k2, $v2) = each($_POST[$k])) {
$_POST[$k][$k2] = addslashes($v2);
}
@reset($_POST[$k]);
} else {
$_POST[$k] = addslashes($v);
}
}
@reset($_POST);
}
}
?>Sincerely,
Gonçalo "gesf" Fontoura
Gonçalo "gesf" Fontoura
My Version:
Code: Select all
<?php
if( !function_exists( "get_magic_quotes_gpc" ) || !get_magic_quotes_gpc() )
{
foreach( Array( $_GET, $_POST, $_COOKIE ) as $_K => &$_V )
{
if( is_array( $_V ) )
{
foreach( $_V as $k => &$v )
{
if( is_array( $v ) )
{
foreach( $v as $k2 => &$v2 )
{
$v2 = addslashes( $v2 );
}
@reset( $v );
}
else
{
$v = addslashes( $v );
}
}
@reset( $_V );
}
}
}
?>AeroX.
When posting code to be reviewed please enclose it in the [ code ] [ /code ] tags as it makes it a lot easier for people to read as it correctly formats itself on screen.
When posting code to be reviewed please enclose it in the [ code ] [ /code ] tags as it makes it a lot easier for people to read as it correctly formats itself on screen.
No stripslashes() is not protection from SQL injections, if anything it help them by removing automaticly added slashes from the code that they are tring to inject.
addslashes() is some protection from SQL injections, but not total.
You sould also try using the functions provided in the mysql extension for making user data safer.
You should also try to use eather gesf's example or mine to automaticly add slashes to the data to try and make it safer.
addslashes() is some protection from SQL injections, but not total.
You sould also try using the functions provided in the mysql extension for making user data safer.
You should also try to use eather gesf's example or mine to automaticly add slashes to the data to try and make it safer.
AeroX.
When posting code to be reviewed please enclose it in the [ code ] [ /code ] tags as it makes it a lot easier for people to read as it correctly formats itself on screen.
When posting code to be reviewed please enclose it in the [ code ] [ /code ] tags as it makes it a lot easier for people to read as it correctly formats itself on screen.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT