|
|
Posted by Areric on 05/15/06 15:51
hey all,
I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure what it was before).
Anyway i mention that cause i had a script that uploaded the content of
an image to a DB, then displayed it straight from the DB using gdlib.
Before i store the content of the image i did an addslashes() and
before i displayed it i did a stripslashes().
Now my opinion of those functions is that they are designed to prevent
injection attacks by deliminting commonly used sql escapes. Seeing as
how its not too hard to write a sql script and save it as a .jpg i
wanted to make sure i prevented this.
Well im still doing both functions but it doesnt seem to be working
anymore since the upgrade. Specifically the number of bytes passed into
the addslashes() doesnt match the number of bytes returned from the
stripslashes(). The variable after the strip is signifigantly smaller.
Does anyone know what could be causing this, and if there is some sort
of defect with this version of PHP?
My impression is that its stripping out slashes it doesnt need to be,
and seeing as how the binary content of an image file is pretty strange
its possible slashes could be in there as valid characters.
Navigation:
[Reply to this message]
|