On Tue, 21 Dec 2010 00:32:19 -0500
Paul M Foster <pa...@quillandmouse.com> wrote:

> On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote:
> > Hi.
> > 
> > In an article about SQL Injection by Chris Shiflett he mentions the
> > following in a comment: "The process of escaping should preserve
> > data, so it should never be necessary to reverse it. When I'm
> > auditing an application, things like stripslashes() alert me to
> > design problems."
> > 
> > Now, I'm always using PHP PDO with prepared statements and as such
> > data with quotes gets slashed automatically by PDO when inserted
> > into the database.
> Just out of idle curiosity, are you using MySQL? PDO shouldn't be
> backslashing quotes for PostgreSQL, as the PostgreSQL convention for
> values containing single quotes is to double the quotes, as: ''.

Currently I'm working with MySQL, but I have just tested PDO with
PostgreSQL 8.3 and in this case PDO backslashes PostgreSQL as well.
> > When I need to pull out the data something might be slashed and I
> > need to use stripslashes() or some str_replace() to make sure that
> > the slashes are removed.
> > 
> > So what's the mistake here and what's the correct way to do it?
> I don't see a mistake. If the values come out of the database
> backslashed, then you need to remove them to work with the data. My
> only question would be whether you're sure the data is backslashed
> before PDO ever sees it. In which case, yes, you have a problem.

No, the data is not slashed before PDO sees them.

I didn't see a mistake either, but then what does Chris mean? Stripping
slashes from output from the DB alerts him to a design problem, and
I'm just wondering if there another way of doing things I just haven't
heard of then. 

> Paul
> -- 
> Paul M. Foster
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to