|
|
Posted by Ken Robinson on 04/23/06 00:11
Cruella DeVille wrote:
> I must have som errors in my understanding of strip- vs addslashes.
> I thought that if a user submitted eg a username, like this
> username=siv' drop database test; I should addslashes to escape ' and "
> and therefore prohibit the evil user to drop/change my database through
> sql injection (my example may not be correct, but I believe it points
> out that evil user can add sql commands through an input field.
>
> But - I've been reading lots of code lately, and I see that others use
> stripslashes insted of addslashes. And my question is why. What did I
> miss? Has it something to do with gpc_magic_quotes?
If magic quotes is enabled, then when data is entered via forms any
quotes are automatically quoted with backslashes. That is why most
people use the stripslashes() function. What you should be be using on
data that is to be inserted into your database is the function
mysql_real_escape_string(). This function not only escapes quotes but
other characters that could cause problems. See the manual page for
more information. <http://www.php.net/mysql_real_escape_string>
Ken
Navigation:
[Reply to this message]
|