On Tue, 21 Dec 2010 00:32:19 -0500 Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote: > On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote: > > > Hi. > > > > In an article about SQL Injection by Chris Shiflett he mentions the > > following in a comment: "The process of escaping should preserve > > data, so it should never be necessary to reverse it. When I'm > > auditing an application, things like stripslashes() alert me to > > design problems." > > > > Now, I'm always using PHP PDO with prepared statements and as such > > data with quotes gets slashed automatically by PDO when inserted > > into the database. > > Just out of idle curiosity, are you using MySQL? PDO shouldn't be > backslashing quotes for PostgreSQL, as the PostgreSQL convention for > values containing single quotes is to double the quotes, as: ''. Currently I'm working with MySQL, but I have just tested PDO with PostgreSQL 8.3 and in this case PDO backslashes PostgreSQL as well. > > When I need to pull out the data something might be slashed and I > > need to use stripslashes() or some str_replace() to make sure that > > the slashes are removed. > > > > So what's the mistake here and what's the correct way to do it? > > I don't see a mistake. If the values come out of the database > backslashed, then you need to remove them to work with the data. My > only question would be whether you're sure the data is backslashed > before PDO ever sees it. In which case, yes, you have a problem. No, the data is not slashed before PDO sees them. I didn't see a mistake either, but then what does Chris mean? Stripping slashes from output from the DB alerts him to a design problem, and I'm just wondering if there another way of doing things I just haven't heard of then. > Paul > > -- > Paul M. Foster > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
