RE: [PHP] is it safe to stripslashes() on all form variables?

2001-04-17 Thread Jason Murray
> Disabling magic quote will reduce amount of code and increase
> performance a little, unless application is very small. Without
> magic_quote, script does not have to get rid of slashes to use
> value from browser and add slashes again before feeding to
> database. Code would be cleaner and easier to read also.
> (Especially for programmers are not used to PHP.)

And, you should never assume magic quotes is on or off. If you're
developing for an environment you cannot control, but using an 
environment that you CAN control, you should code around magic 
quotes' presence or absence as neccessary:



This code would happily exist on servers both with and without 
magic quotes enabled.

Jason 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


Re: [PHP] is it safe to stripslashes() on all form variables?

2001-04-17 Thread Yasuo Ohgaki
Previous post does not address how to avoid making this kind of security hole.

Anyway, if anyone want to avoid creating security hole like this. Do not
stripslashes() added by magic_quote. If you use stripslashes(), use addslashes()
again. If you do not use magic_quote, use addslashes() before feeding to
database, shell or whatever that might be dangerous w/o slashes.

Disabling magic quote will reduce amount of code and increase performance a
little, unless application is very small. Without magic_quote, script does not
have to get rid of slashes to use value from browser and add slashes again
before feeding to database. Code would be cleaner and easier to read also.
(Especially for programmers are not used to PHP.)

Hope this helps someone.
--
Yasuo Ohgaki


""Yasuo Ohgaki"" <[EMAIL PROTECTED]> wrote in message
9bg8tl$rvl$[EMAIL PROTECTED]">news:9bg8tl$rvl$[EMAIL PROTECTED]...
> If you strip slashes, it will make a security hole.
>
> For example,
>
> SELECT * FROM tablename WHERE name = '$name';
> what if $name is
> \'garbage\';DROP TABLE tablename;SELECT \'something
>
> After stripslashes($name)
> SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT
> 'something';
>
> Regards,
> --
> Yasuo Ohgaki
>
>
> ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message
> 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]...
> > would there be any problems caused if i used the stripslashes() function on
> > all posted variables from a form to eliminate sql query errors?
> >
> >  - Noah
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


Re: [PHP] is it safe to stripslashes() on all form variables?

2001-04-16 Thread Yasuo Ohgaki
If you strip slashes, it will make a security hole.

For example,

SELECT * FROM tablename WHERE name = '$name';
what if $name is
\'garbage\';DROP TABLE tablename;SELECT \'something

After stripslashes($name)
SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT
'something';

Regards,
--
Yasuo Ohgaki


""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message
9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]...
> would there be any problems caused if i used the stripslashes() function on
> all posted variables from a form to eliminate sql query errors?
>
>  - Noah
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


Re: [PHP] is it safe to stripslashes() on all form variables?

2001-04-16 Thread Alexander Skwar

So sprach Noah Spitzer-Williams am Mon, Apr 16, 2001 at 12:45:43PM -0400:
> would there be any problems caused if i used the stripslashes() function on
> all posted variables from a form to eliminate sql query errors?

Uhm, why stripslashes() the values?  Wouldn't it be better to addslashes()
the value, and then when retrieving the values from the database to
stripslashes() the value?

With addslashes(), you'd be sure that everything is properly escaped.

BTW: Where's the difference between addslashes() and the undocumented
function mysql_escape_string()? ( see http://php.net/ChangeLog-4.php#4.0.3 )

Alexander Skwar
-- 
How to quote:   http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:   http://www.digitalprojects.com   |   http://www.iso-top.de
   iso-top.de - Die günstige Art an Linux Distributionen zu kommen
Uptime: 2 hours 13 minutes

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] is it safe to stripslashes() on all form variables?

2001-04-16 Thread Noah Spitzer-Williams

Jesus that's pretty scary! So how should i go about doing this?


""Yasuo Ohgaki"" <[EMAIL PROTECTED]> wrote in message
9bflce$9p5$[EMAIL PROTECTED]">news:9bflce$9p5$[EMAIL PROTECTED]...
> If you strip slashes, it will make a security hole.
>
> For example,
>
> SELECT * FROM tablename WHERE name = '$name';
> what if $name is
> \'garbage\';DROP TABLE tablename;SELECT \'something
>
> After stripslashes($name)
> SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT
> 'something';
>
> Regards,
> --
> Yasuo Ohgaki
>
>
> ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message
> 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]...
> > would there be any problems caused if i used the stripslashes() function
on
> > all posted variables from a form to eliminate sql query errors?
> >
> >  - Noah
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] is it safe to stripslashes() on all form variables? [ security hole !!! ]

2001-04-16 Thread Johnson, Kirk
Yasuo, I didn't quite follow this. What are those special characters below
in your $name example?

TIA

Kirk

> -Original Message-

> If you strip slashes, it will make a security hole.
> 
> For example,
> 
> SELECT * FROM tablename WHERE name = '$name';
> what if $name is
> \'garbage\';DROP TABLE tablename;SELECT \'something
> 
> After stripslashes($name)
> SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT
> 'something';
> 
> Regards,
> --
> Yasuo Ohgaki 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


Re: [PHP] is it safe to stripslashes() on all form variables?

2001-04-16 Thread Yasuo Ohgaki
If you strip slashes, it will make a security hole.

For example,

SELECT * FROM tablename WHERE name = '$name';
what if $name is
\'garbage\';DROP TABLE tablename;SELECT \'something

After stripslashes($name)
SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT
'something';

Regards,
--
Yasuo Ohgaki


""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message
9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]...
> would there be any problems caused if i used the stripslashes() function on
> all posted variables from a form to eliminate sql query errors?
>
>  - Noah
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


Re: [PHP] is it safe to stripslashes() on all form variables?

2001-04-16 Thread Plutarck

As long as you don't need to ever store a forward slash :)

Beyond that, nope. stripslash() away.


--
Plutarck
Should be working on something...
...but forgot what it was.


""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message
9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]...
> would there be any problems caused if i used the stripslashes() function
on
> all posted variables from a form to eliminate sql query errors?
>
>  - Noah
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] is it safe to stripslashes() on all form variables?

2001-04-16 Thread Noah Spitzer-Williams

would there be any problems caused if i used the stripslashes() function on
all posted variables from a form to eliminate sql query errors?

 - Noah



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]