Re: [PHP] addslahes and magic quote woes
On Wed, 3 Jul 2002, Jean-Christian Imbeault wrote: > Erik Price wrote: >> Turn off magic_quotes and do addslashes() explicitly every time you do >> a database insert. Then make sure you always stripslash() data >> returned from a database query. >> >> magic_quotes is convenient for newbies, but after a while you'll find it >> only trips you up, as you've discovered. > > I totally agree. Chalk me up as another magic_quotes hater. Unless your code is very simplistic, you'll end up with far more stripslasheses than you would have had addslasheses. So it's a net waste of time, and leads to all sorts of irritating data corruption bugs that are a nuisance to track down. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
>magic_quotes is convenient for newbies, but after a while you'll find it >only trips you up, as you've discovered. Odd. In the 5 years I've been doing PHP, magic quotes has never hurt me in the least. It's just more convenient than calling addslashses() all over the place. And do you really nead to call stripslashes() to get the data out? I mean... Look the MySQL SQL engine is going to 'parse' your SQL, right? And that parser is going to 'swallow up' the 'extra' \ characters -- Those characters exist to 'escape' the things MySQL needs to store. Now, when MySQL spews that data out again, does it go adding back in escape characters?! Surely not... Maybe if you turn on the sql_magic_quotes feature, PHP will do it for you, but MySQL doesn't do it, does it? You *DO* need stripslashes() when you have magic quotes on, and you wish to display data that has come from the user, as well as insert it to the database. (Or if that particular data was never meant to go to the database in the first place.) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
On Wednesday, July 3, 2002, at 10:21 AM, Jean-Christian Imbeault wrote: > Security question: Is turning off magic_quotes and using > strip/addslashes() a 100% effective solution against malicious user > input? No. Think about what {add|strip}slashes() does. It simply adds slashes to strings, and strips them from strings, depending on certain rules (like the location of apostrophes or other special characters in those strings). There are far more ways for malicious users to insert their own input than I even know of, let alone know how to handle. Consider using add/strip a requirement, not a security precaution. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
From: "Jean-Christian Imbeault" <[EMAIL PROTECTED]> > Erik Price wrote: > > > > > > Turn off magic_quotes and do addslashes() explicitly every time you do a > > database insert. Then make sure you always stripslash() data returned > > from a database query. You don't need to strip slashes from data coming out of a database. The only reason you add the slashes in the first place is to get the data into the database, the actual slashes don't go into the database. > > > > magic_quotes is convenient for newbies, but after a while you'll find it > > only trips you up, as you've discovered. I haven't discovered this > I totally agree. > > Security question: Is turning off magic_quotes and using > strip/addslashes() a 100% effective solution against malicious user input? Nothing's 100%, of course. It will make sure that your strings are treated properly, but slashes don't do anything for integers. If you have a query like: UPDATE admin SET something = 'this' where user_id = $user_id Then using addslashes doesn't help you at all because $user_id doesn't have quotes around it. Since it's supposed to be an integer, it shouldn't have quotes, but you need to validate that $user_id is indeed an integer without any other data in it, otherwise you're open to SQL attacks. Bottom line, validate everything from the user. POST, GET, COOKIE, etc... If it's supposed to be a number, make it a number with (int). If it's supposed to be a string, make sure it's had addslashes() applies to it, either through magic_quotes or manually...etc, etc, etc... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
Just pick one, and use only one. If you have magic_quotes ON, then you don't need addslashes, etc. ---John Holmes... - Original Message - From: "Jean-Christian Imbeault" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 03, 2002 9:40 AM Subject: [PHP] addslahes and magic quote woes > I am trying to make my PHP safe against malicious data user inputs. > Reading up on this most people suggest using addslashes(), magic_quotes > on and other things like mysql_escape_string(); > > But I have been running into the problem that I mess up the user's input > because I use more then one of these functions in succession on the data. > > Is there any way to prevent the "re-escaping"/"re-slashing" of data that > has already been escaped or slashed? > > Jc > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
Erik Price wrote: > > Turn off magic_quotes and do addslashes() explicitly every time you do a > database insert. Then make sure you always stripslash() data returned > from a database query. > > magic_quotes is convenient for newbies, but after a while you'll find it > only trips you up, as you've discovered. I totally agree. Security question: Is turning off magic_quotes and using strip/addslashes() a 100% effective solution against malicious user input? Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
On Wednesday, July 3, 2002, at 09:40 AM, Jean-Christian Imbeault wrote: > I am trying to make my PHP safe against malicious data user inputs. > Reading up on this most people suggest using addslashes(), magic_quotes > on and other things like mysql_escape_string(); > > But I have been running into the problem that I mess up the user's > input because I use more then one of these functions in succession on > the data. > > Is there any way to prevent the "re-escaping"/"re-slashing" of data > that has already been escaped or slashed? Turn off magic_quotes and do addslashes() explicitly every time you do a database insert. Then make sure you always stripslash() data returned from a database query. magic_quotes is convenient for newbies, but after a while you'll find it only trips you up, as you've discovered. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
Martin Clifford wrote: > Try stripslashes() before addslashes(), to ensure that it doesn't already contain slashes. > > HTH > > Martin But what if the original data contained a slash? I want to keep that slash in the data ... Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslahes and magic quote woes
Try stripslashes() before addslashes(), to ensure that it doesn't already contain slashes. HTH Martin >>> Jean-Christian Imbeault <[EMAIL PROTECTED]> 07/03/02 09:40AM >>> I am trying to make my PHP safe against malicious data user inputs. Reading up on this most people suggest using addslashes(), magic_quotes on and other things like mysql_escape_string(); But I have been running into the problem that I mess up the user's input because I use more then one of these functions in succession on the data. Is there any way to prevent the "re-escaping"/"re-slashing" of data that has already been escaped or slashed? Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php