|
|
Posted by Erwin Moller on 05/15/06 17:03
Areric wrote:
> hey all,
>
> I recently got in a bit of a fight with my webhost because he made some
> changes to my server. Specifically they updated php without telling me.
> They are now running PHP 4.4.1 (not sure what it was before).
>
> Anyway i mention that cause i had a script that uploaded the content of
> an image to a DB, then displayed it straight from the DB using gdlib.
> Before i store the content of the image i did an addslashes() and
> before i displayed it i did a stripslashes().
>
> Now my opinion of those functions is that they are designed to prevent
> injection attacks by deliminting commonly used sql escapes. Seeing as
> how its not too hard to write a sql script and save it as a .jpg i
> wanted to make sure i prevented this.
Chances are that the hostingcompany changed php.ini too.
Just check for magic_quotes, you can also access the value using
getmagicquotesgpc() or something named similar to that.
If you don't like the changes, just modify your script so it does handle the
different settings in php.ini always right.
>
> Well im still doing both functions but it doesnt seem to be working
> anymore since the upgrade. Specifically the number of bytes passed into
> the addslashes() doesnt match the number of bytes returned from the
> stripslashes(). The variable after the strip is signifigantly smaller.
probably the removed slashes...
>
> Does anyone know what could be causing this, and if there is some sort
> of defect with this version of PHP?
No, just read the manual on magic_quotes.
www.php.net
>
> My impression is that its stripping out slashes it doesnt need to be,
> and seeing as how the binary content of an image file is pretty strange
> its possible slashes could be in there as valid characters.
I have no idea, I never study binary representations of images.
Regards,
Erwin MOller
Navigation:
[Reply to this message]
|