RE: [PHP] is it safe to stripslashes() on all form variables?
> Disabling magic quote will reduce amount of code and increase > performance a little, unless application is very small. Without > magic_quote, script does not have to get rid of slashes to use > value from browser and add slashes again before feeding to > database. Code would be cleaner and easier to read also. > (Especially for programmers are not used to PHP.) And, you should never assume magic quotes is on or off. If you're developing for an environment you cannot control, but using an environment that you CAN control, you should code around magic quotes' presence or absence as neccessary: This code would happily exist on servers both with and without magic quotes enabled. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is it safe to stripslashes() on all form variables?
Previous post does not address how to avoid making this kind of security hole. Anyway, if anyone want to avoid creating security hole like this. Do not stripslashes() added by magic_quote. If you use stripslashes(), use addslashes() again. If you do not use magic_quote, use addslashes() before feeding to database, shell or whatever that might be dangerous w/o slashes. Disabling magic quote will reduce amount of code and increase performance a little, unless application is very small. Without magic_quote, script does not have to get rid of slashes to use value from browser and add slashes again before feeding to database. Code would be cleaner and easier to read also. (Especially for programmers are not used to PHP.) Hope this helps someone. -- Yasuo Ohgaki ""Yasuo Ohgaki"" <[EMAIL PROTECTED]> wrote in message 9bg8tl$rvl$[EMAIL PROTECTED]">news:9bg8tl$rvl$[EMAIL PROTECTED]... > If you strip slashes, it will make a security hole. > > For example, > > SELECT * FROM tablename WHERE name = '$name'; > what if $name is > \'garbage\';DROP TABLE tablename;SELECT \'something > > After stripslashes($name) > SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT > 'something'; > > Regards, > -- > Yasuo Ohgaki > > > ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message > 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]... > > would there be any problems caused if i used the stripslashes() function on > > all posted variables from a form to eliminate sql query errors? > > > > - Noah > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is it safe to stripslashes() on all form variables?
If you strip slashes, it will make a security hole. For example, SELECT * FROM tablename WHERE name = '$name'; what if $name is \'garbage\';DROP TABLE tablename;SELECT \'something After stripslashes($name) SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT 'something'; Regards, -- Yasuo Ohgaki ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]... > would there be any problems caused if i used the stripslashes() function on > all posted variables from a form to eliminate sql query errors? > > - Noah > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is it safe to stripslashes() on all form variables?
So sprach Noah Spitzer-Williams am Mon, Apr 16, 2001 at 12:45:43PM -0400: > would there be any problems caused if i used the stripslashes() function on > all posted variables from a form to eliminate sql query errors? Uhm, why stripslashes() the values? Wouldn't it be better to addslashes() the value, and then when retrieving the values from the database to stripslashes() the value? With addslashes(), you'd be sure that everything is properly escaped. BTW: Where's the difference between addslashes() and the undocumented function mysql_escape_string()? ( see http://php.net/ChangeLog-4.php#4.0.3 ) Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.digitalprojects.com | http://www.iso-top.de iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 2 hours 13 minutes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is it safe to stripslashes() on all form variables?
Jesus that's pretty scary! So how should i go about doing this? ""Yasuo Ohgaki"" <[EMAIL PROTECTED]> wrote in message 9bflce$9p5$[EMAIL PROTECTED]">news:9bflce$9p5$[EMAIL PROTECTED]... > If you strip slashes, it will make a security hole. > > For example, > > SELECT * FROM tablename WHERE name = '$name'; > what if $name is > \'garbage\';DROP TABLE tablename;SELECT \'something > > After stripslashes($name) > SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT > 'something'; > > Regards, > -- > Yasuo Ohgaki > > > ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message > 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]... > > would there be any problems caused if i used the stripslashes() function on > > all posted variables from a form to eliminate sql query errors? > > > > - Noah > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] is it safe to stripslashes() on all form variables? [ security hole !!! ]
Yasuo, I didn't quite follow this. What are those special characters below in your $name example? TIA Kirk > -Original Message- > If you strip slashes, it will make a security hole. > > For example, > > SELECT * FROM tablename WHERE name = '$name'; > what if $name is > \'garbage\';DROP TABLE tablename;SELECT \'something > > After stripslashes($name) > SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT > 'something'; > > Regards, > -- > Yasuo Ohgaki -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is it safe to stripslashes() on all form variables?
If you strip slashes, it will make a security hole. For example, SELECT * FROM tablename WHERE name = '$name'; what if $name is \'garbage\';DROP TABLE tablename;SELECT \'something After stripslashes($name) SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT 'something'; Regards, -- Yasuo Ohgaki ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]... > would there be any problems caused if i used the stripslashes() function on > all posted variables from a form to eliminate sql query errors? > > - Noah > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is it safe to stripslashes() on all form variables?
As long as you don't need to ever store a forward slash :) Beyond that, nope. stripslash() away. -- Plutarck Should be working on something... ...but forgot what it was. ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]... > would there be any problems caused if i used the stripslashes() function on > all posted variables from a form to eliminate sql query errors? > > - Noah > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] is it safe to stripslashes() on all form variables?
would there be any problems caused if i used the stripslashes() function on all posted variables from a form to eliminate sql query errors? - Noah -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
