On Mon, Dec 20, 2010 at 11:31 PM, Rico Secada <coolz...@it.dk> wrote:

> Hi.
> In an article about SQL Injection by Chris Shiflett he mentions the
> following in a comment: "The process of escaping should preserve data,
> so it should never be necessary to reverse it. When I'm auditing an
> application, things like stripslashes() alert me to design problems."

Adding slashes to variables isn't needed for actually storing the values in
the DB, but rather for their safe use in a SQL statement.  If you use
addslashes() on data going into a DB, you'll have to make sure you call
stripslashes() on data coming out of the DB.

His statement "The process of escaping should preserve data, so it should
never be necessary to reverse it", conveys that you shouldn't need to know
if a value has been escaped down the line.  The escaping operation should be
done in such a way that it doesn't matter how you handle the data afterwards
(your code shouldn't have to keep track of whether it has to call
stripslashes(), with one notable problem being that calling stripslashes()
twice on the same data can lead to a value that differs from the original.)

> Now, I'm always using PHP PDO with prepared statements and as such data
> with quotes gets slashed automatically by PDO when inserted into the
> database.

In most languages I'm familiar with, prepared statements don't imply that
values are automatically slashed.  Rather, the statement is compiled with
placeholders.  Through use of placeholders, it's impossible for the DB to
interpret any of the values inserted into any of the placeholders in a way
that could lead to SQL injection.

> When I need to pull out the data something might be slashed and I need
> to use stripslashes() or some str_replace() to make sure that the
> slashes are removed.

NO, using prepared statements does not require that you call stripslashes()
when retrieving data from the DB.  If you're noticing slashes, you've got
them coming from other source (magic_quotes_gpc might be on, and if so, I
recommend turning it off.)

> So what's the mistake here and what's the correct way to do it?

1. Turn off magic_quotes_gpc if on, as its use has been deprecated.
2. Use prepared statements.
3. Don't worry about stripping slashes ever again :)


Nephtali:  A simple, flexible, fast, and security-focused PHP framework

Reply via email to