On 4 Oct 2011, at 20:44, Jim Giner wrote:
> "Stuart Dallas" <[email protected]> wrote in message
> news:[email protected]...
> 1. Why are you using addslashes?
>
> 2. MySQL will strip one level of backslashes.
> *********
>
>
> I thought you were supposed to do an addslashes to protect your appl from
> malicious d/e.
Adding slashes to the data is nowhere near enough protection. Jeremiah is right
in saying that prepared statements are the best option available at the moment.
> Did not know that mysql drops the slashes.
I recommend that you look further into why you are doing things like that,
especially when it's security-related. The more you know about what is
happening and why the better your software will be.
In this particular case, the slashes are designed to mark quotes as part of the
data and not the end of the data. For example...
"this is an unescaped string containing " a quotation mark"
The MySQL parser will see the " in the middle and decide that that's the end of
the data. However...
"this is an escaped string containing \" a quotation mark"
The parser will see the \ before the " and that tells it the quote is part of
the data. Because the \ is only there to tell it that it doesn't get left in
the data when it's pushed into the database.
But escaping quotes (i.e. addslashes) is not enough to protect against SQL
injection, and neither is mysql_real_escape_string as Shawn suggested. Prepared
statements are the best option.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
