On 4 Oct 2011, at 20:44, Jim Giner wrote:

> "Stuart Dallas" <stu...@3ft9.com> wrote in message 
> news:da8b3499-4d11-4053-9834-68b34d030...@3ft9.com...
> 1. Why are you using addslashes?
> 2. MySQL will strip one level of backslashes.
> *********
> I thought you were supposed to do an addslashes to protect your appl from 
> malicious d/e.

Adding slashes to the data is nowhere near enough protection. Jeremiah is right 
in saying that prepared statements are the best option available at the moment.

> Did not know that mysql drops the slashes. 

I recommend that you look further into why you are doing things like that, 
especially when it's security-related. The more you know about what is 
happening and why the better your software will be.

In this particular case, the slashes are designed to mark quotes as part of the 
data and not the end of the data. For example...

    "this is an unescaped string containing " a quotation mark"

The MySQL parser will see the " in the middle and decide that that's the end of 
the data. However...

    "this is an escaped string containing \" a quotation mark"

The parser will see the \ before the " and that tells it the quote is part of 
the data. Because the \ is only there to tell it that it doesn't get left in 
the data when it's pushed into the database.

But escaping quotes (i.e. addslashes) is not enough to protect against SQL 
injection, and neither is mysql_real_escape_string as Shawn suggested. Prepared 
statements are the best option.


Stuart Dallas
3ft9 Ltd
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to