Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

are stripslashes() prodect from sql injection?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

are stripslashes() prodect from sql injection?

Postby red fox » Sat Dec 09, 2006 4:51 am

hi everyone

8ELECT * FROM example WHERE sd ="stripslashes($_POST['Company_name'])";
in this case are stripslashes() prodect from sql injection

please help

thanks in advanced for your help :D

regards

red fox
red fox
New php-forum User
New php-forum User
 
Posts: 39
Joined: Tue Nov 22, 2005 8:14 am

Postby gesf » Sun Dec 10, 2006 12:29 am

From manual (stripslashes): An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.

So... let's say... nah!

Addslashes, it is a security precaution (when magic_quotes_gpc is off).
You don't need to use it all the time, so you can use this lil' piece of code (from PHPBB).
When magic_quotes_gpc is on, the addslashes() will run on all GET, POST, and COOKIE data, so you don't have to use it.
Code: Select all
<?php

if(!get_magic_quotes_gpc()) {
   if(is_array($_POST)) {
      while(list($k, $v) = each($_POST)) {
         if(is_array($_POST[$k])) {
            while(list($k2, $v2) = each($_POST[$k])) {
               $_POST[$k][$k2] = addslashes($v2);
            }
            @reset($_POST[$k]);
         } else {
            $_POST[$k] = addslashes($v);
         }
      }
      @reset($_POST);
   }
}

?>
You can do the same for $_GET and $_COOKIE arrays too.
User avatar
gesf
Moderator
Moderator
 
Posts: 1718
Joined: Sun Dec 29, 2002 5:03 am
Location: Portugal / Sweden

Re: are stripslashes() prodect from sql injection?

Postby gavin0 » Wed Jul 23, 2008 11:13 pm

do I need to use stripslashes when magic_quotes_gpc is on? how about trim?
gavin0
New php-forum User
New php-forum User
 
Posts: 2
Joined: Wed Jul 23, 2008 6:38 pm

Re: are stripslashes() prodect from sql injection?

Postby AeroX » Thu Jul 24, 2008 1:53 am

My Version:
Code: Select all
<?php
if( !function_exists( "get_magic_quotes_gpc" ) || !get_magic_quotes_gpc() )
{
   foreach( Array( $_GET, $_POST, $_COOKIE ) as $_K => &$_V )
   {
      if( is_array( $_V ) )
      {
         foreach( $_V as $k => &$v )
         {
            if( is_array( $v ) )
            {
               foreach( $v as $k2 => &$v2 )
               {
                  $v2 = addslashes( $v2 );
               }
               @reset( $v );
            }
            else
            {
               $v = addslashes( $v );
            }
         }
         @reset( $_V );
      }
   }
}
?>
User avatar
AeroX
New php-forum User
New php-forum User
 
Posts: 142
Joined: Sun May 11, 2008 1:40 am
Location: London, UK

Re: are stripslashes() prodect from sql injection?

Postby AeroX » Fri Jul 25, 2008 4:34 am

No stripslashes() is not protection from SQL injections, if anything it help them by removing automaticly added slashes from the code that they are tring to inject.

addslashes() is some protection from SQL injections, but not total.
You sould also try using the functions provided in the mysql extension for making user data safer.

You should also try to use eather gesf's example or mine to automaticly add slashes to the data to try and make it safer.
User avatar
AeroX
New php-forum User
New php-forum User
 
Posts: 142
Joined: Sun May 11, 2008 1:40 am
Location: London, UK


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.