8ELECT * FROM example WHERE sd ="stripslashes($_POST['Company_name'])";
in this case are stripslashes() prodect from sql injection
please help
thanks in advanced for your help
regards
red fox
are stripslashes() prodect from sql injection?
Moderators: macek, egami, gesf
are stripslashes() prodect from sql injection?
hi everyone
8ELECT * FROM example WHERE sd ="stripslashes($_POST['Company_name'])";
in this case are stripslashes() prodect from sql injection
please help
thanks in advanced for your help
regards
red fox
8ELECT * FROM example WHERE sd ="stripslashes($_POST['Company_name'])";
in this case are stripslashes() prodect from sql injection
please help
thanks in advanced for your help
regards
red fox
From manual (stripslashes): An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.
So... let's say... nah!
Addslashes, it is a security precaution (when magic_quotes_gpc is off).
You don't need to use it all the time, so you can use this lil' piece of code (from PHPBB).
When magic_quotes_gpc is on, the addslashes() will run on all GET, POST, and COOKIE data, so you don't have to use it.You can do the same for $_GET and $_COOKIE arrays too.
So... let's say... nah!
Addslashes, it is a security precaution (when magic_quotes_gpc is off).
You don't need to use it all the time, so you can use this lil' piece of code (from PHPBB).
When magic_quotes_gpc is on, the addslashes() will run on all GET, POST, and COOKIE data, so you don't have to use it.
Code: Select all
<?php
if(!get_magic_quotes_gpc()) {
if(is_array($_POST)) {
while(list($k, $v) = each($_POST)) {
if(is_array($_POST[$k])) {
while(list($k2, $v2) = each($_POST[$k])) {
$_POST[$k][$k2] = addslashes($v2);
}
@reset($_POST[$k]);
} else {
$_POST[$k] = addslashes($v);
}
}
@reset($_POST);
}
}
?>Re: are stripslashes() prodect from sql injection?
do I need to use stripslashes when magic_quotes_gpc is on? how about trim?
Re: are stripslashes() prodect from sql injection?
My Version:
Code: Select all
<?php
if( !function_exists( "get_magic_quotes_gpc" ) || !get_magic_quotes_gpc() )
{
foreach( Array( $_GET, $_POST, $_COOKIE ) as $_K => &$_V )
{
if( is_array( $_V ) )
{
foreach( $_V as $k => &$v )
{
if( is_array( $v ) )
{
foreach( $v as $k2 => &$v2 )
{
$v2 = addslashes( $v2 );
}
@reset( $v );
}
else
{
$v = addslashes( $v );
}
}
@reset( $_V );
}
}
}
?>Re: are stripslashes() prodect from sql injection?
No stripslashes() is not protection from SQL injections, if anything it help them by removing automaticly added slashes from the code that they are tring to inject.
addslashes() is some protection from SQL injections, but not total.
You sould also try using the functions provided in the mysql extension for making user data safer.
You should also try to use eather gesf's example or mine to automaticly add slashes to the data to try and make it safer.
addslashes() is some protection from SQL injections, but not total.
You sould also try using the functions provided in the mysql extension for making user data safer.
You should also try to use eather gesf's example or mine to automaticly add slashes to the data to try and make it safer.
Return to “PHP & MySQL Security”
Who is online
Users browsing this forum: No registered users and 0 guests