Posted by Jerry Stuckle on 05/15/06 17:34

Areric wrote:
> hey all,
>
> I recently got in a bit of a fight with my webhost because he made some
> changes to my server. Specifically they updated php without telling me.
> They are now running PHP 4.4.1 (not sure what it was before).
>
> Anyway i mention that cause i had a script that uploaded the content of
> an image to a DB, then displayed it straight from the DB using gdlib.
> Before i store the content of the image i did an addslashes() and
> before i displayed it i did a stripslashes().
>
> Now my opinion of those functions is that they are designed to prevent
> injection attacks by deliminting commonly used sql escapes. Seeing as
> how its not too hard to write a sql script and save it as a .jpg i
> wanted to make sure i prevented this.
>
> Well im still doing both functions but it doesnt seem to be working
> anymore since the upgrade. Specifically the number of bytes passed into
> the addslashes() doesnt match the number of bytes returned from the
> stripslashes(). The variable after the strip is signifigantly smaller.
>
> Does anyone know what could be causing this, and if there is some sort
> of defect with this version of PHP?
>
> My impression is that its stripping out slashes it doesnt need to be,
> and seeing as how the binary content of an image file is pretty strange
> its possible slashes could be in there as valid characters.
>

You shouldn't be using addslashes before putting it to the database. You should
use mysql_escape_string() (or, for later versions of MySQL, the more preferable
mysql_real_escape_string() ) instead.

Then you don't need to call stripslashes() afterwards.

And the change may be that they set magic_quotes_gpc to off, either by a change
in the default or by changing the php.ini file.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]