Re: [PHP] PDO Prepared Statements and stripslashes
On Tue, 21 Dec 2010 10:32:21 -0500 Adam Richardson wrote: > 1. Turn off magic_quotes_gpc if on, as its use has been deprecated. > 2. Use prepared statements. > 3. Don't worry about stripping slashes ever again :) Thank you for a very enlightening answer. I guess I misunderstood the "PDO automatically quotes.." and the slashes part! :-) > Adam > > -- > Nephtali: A simple, flexible, fast, and security-focused PHP > framework http://nephtaliproject.com > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PDO Prepared Statements and stripslashes
On Mon, Dec 20, 2010 at 11:31 PM, Rico Secada wrote: > Hi. > > In an article about SQL Injection by Chris Shiflett he mentions the > following in a comment: "The process of escaping should preserve data, > so it should never be necessary to reverse it. When I'm auditing an > application, things like stripslashes() alert me to design problems." > Adding slashes to variables isn't needed for actually storing the values in the DB, but rather for their safe use in a SQL statement. If you use addslashes() on data going into a DB, you'll have to make sure you call stripslashes() on data coming out of the DB. His statement "The process of escaping should preserve data, so it should never be necessary to reverse it", conveys that you shouldn't need to know if a value has been escaped down the line. The escaping operation should be done in such a way that it doesn't matter how you handle the data afterwards (your code shouldn't have to keep track of whether it has to call stripslashes(), with one notable problem being that calling stripslashes() twice on the same data can lead to a value that differs from the original.) > Now, I'm always using PHP PDO with prepared statements and as such data > with quotes gets slashed automatically by PDO when inserted into the > database. > In most languages I'm familiar with, prepared statements don't imply that values are automatically slashed. Rather, the statement is compiled with placeholders. Through use of placeholders, it's impossible for the DB to interpret any of the values inserted into any of the placeholders in a way that could lead to SQL injection. > > When I need to pull out the data something might be slashed and I need > to use stripslashes() or some str_replace() to make sure that the > slashes are removed. > NO, using prepared statements does not require that you call stripslashes() when retrieving data from the DB. If you're noticing slashes, you've got them coming from other source (magic_quotes_gpc might be on, and if so, I recommend turning it off.) > > So what's the mistake here and what's the correct way to do it? > 1. Turn off magic_quotes_gpc if on, as its use has been deprecated. 2. Use prepared statements. 3. Don't worry about stripping slashes ever again :) Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
Re: [PHP] PDO Prepared Statements and stripslashes
Hello, The plug-in PDO has nothing to do with the backslashes being inserted into the database. The backslashes are used to escape characters like in D's...it would show D's. That's the safe behavior of it. You can change your programming code to fix that. Ravi. On Tue, Dec 21, 2010 at 12:59 AM, Rico Secada wrote: > On Tue, 21 Dec 2010 00:32:19 -0500 > Paul M Foster wrote: > > > On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote: > > > > > Hi. > > > > > > In an article about SQL Injection by Chris Shiflett he mentions the > > > following in a comment: "The process of escaping should preserve > > > data, so it should never be necessary to reverse it. When I'm > > > auditing an application, things like stripslashes() alert me to > > > design problems." > > > > > > Now, I'm always using PHP PDO with prepared statements and as such > > > data with quotes gets slashed automatically by PDO when inserted > > > into the database. > > > > Just out of idle curiosity, are you using MySQL? PDO shouldn't be > > backslashing quotes for PostgreSQL, as the PostgreSQL convention for > > values containing single quotes is to double the quotes, as: ''. > > Currently I'm working with MySQL, but I have just tested PDO with > PostgreSQL 8.3 and in this case PDO backslashes PostgreSQL as well. > > > > When I need to pull out the data something might be slashed and I > > > need to use stripslashes() or some str_replace() to make sure that > > > the slashes are removed. > > > > > > So what's the mistake here and what's the correct way to do it? > > > > I don't see a mistake. If the values come out of the database > > backslashed, then you need to remove them to work with the data. My > > only question would be whether you're sure the data is backslashed > > before PDO ever sees it. In which case, yes, you have a problem. > > No, the data is not slashed before PDO sees them. > > I didn't see a mistake either, but then what does Chris mean? Stripping > slashes from output from the DB alerts him to a design problem, and > I'm just wondering if there another way of doing things I just haven't > heard of then. > > > Paul > > > > -- > > Paul M. Foster > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] PDO Prepared Statements and stripslashes
On Tue, 21 Dec 2010 00:32:19 -0500 Paul M Foster wrote: > On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote: > > > Hi. > > > > In an article about SQL Injection by Chris Shiflett he mentions the > > following in a comment: "The process of escaping should preserve > > data, so it should never be necessary to reverse it. When I'm > > auditing an application, things like stripslashes() alert me to > > design problems." > > > > Now, I'm always using PHP PDO with prepared statements and as such > > data with quotes gets slashed automatically by PDO when inserted > > into the database. > > Just out of idle curiosity, are you using MySQL? PDO shouldn't be > backslashing quotes for PostgreSQL, as the PostgreSQL convention for > values containing single quotes is to double the quotes, as: ''. Currently I'm working with MySQL, but I have just tested PDO with PostgreSQL 8.3 and in this case PDO backslashes PostgreSQL as well. > > When I need to pull out the data something might be slashed and I > > need to use stripslashes() or some str_replace() to make sure that > > the slashes are removed. > > > > So what's the mistake here and what's the correct way to do it? > > I don't see a mistake. If the values come out of the database > backslashed, then you need to remove them to work with the data. My > only question would be whether you're sure the data is backslashed > before PDO ever sees it. In which case, yes, you have a problem. No, the data is not slashed before PDO sees them. I didn't see a mistake either, but then what does Chris mean? Stripping slashes from output from the DB alerts him to a design problem, and I'm just wondering if there another way of doing things I just haven't heard of then. > Paul > > -- > Paul M. Foster > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PDO Prepared Statements and stripslashes
On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote: > Hi. > > In an article about SQL Injection by Chris Shiflett he mentions the > following in a comment: "The process of escaping should preserve data, > so it should never be necessary to reverse it. When I'm auditing an > application, things like stripslashes() alert me to design problems." > > Now, I'm always using PHP PDO with prepared statements and as such data > with quotes gets slashed automatically by PDO when inserted into the > database. Just out of idle curiosity, are you using MySQL? PDO shouldn't be backslashing quotes for PostgreSQL, as the PostgreSQL convention for values containing single quotes is to double the quotes, as: ''. > > When I need to pull out the data something might be slashed and I need > to use stripslashes() or some str_replace() to make sure that the > slashes are removed. > > So what's the mistake here and what's the correct way to do it? I don't see a mistake. If the values come out of the database backslashed, then you need to remove them to work with the data. My only question would be whether you're sure the data is backslashed before PDO ever sees it. In which case, yes, you have a problem. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PDO Prepared Statements and stripslashes
Hi. In an article about SQL Injection by Chris Shiflett he mentions the following in a comment: "The process of escaping should preserve data, so it should never be necessary to reverse it. When I'm auditing an application, things like stripslashes() alert me to design problems." Now, I'm always using PHP PDO with prepared statements and as such data with quotes gets slashed automatically by PDO when inserted into the database. When I need to pull out the data something might be slashed and I need to use stripslashes() or some str_replace() to make sure that the slashes are removed. So what's the mistake here and what's the correct way to do it? Kind regards Rico -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
