Re: Secure data management

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4 Oct 2011, at 20:44, Jim Giner wrote:

> "Stuart Dallas" <stuart@xxxxxxxx> wrote in message 
> news:DA8B3499-4D11-4053-9834-68B34D030897@xxxxxxxx...
> 1. Why are you using addslashes?
> 
> 2. MySQL will strip one level of backslashes.
> *********
> 
> 
> I thought you were supposed to do an addslashes to protect your appl from 
> malicious d/e.

Adding slashes to the data is nowhere near enough protection. Jeremiah is right in saying that prepared statements are the best option available at the moment.

> Did not know that mysql drops the slashes. 

I recommend that you look further into why you are doing things like that, especially when it's security-related. The more you know about what is happening and why the better your software will be.

In this particular case, the slashes are designed to mark quotes as part of the data and not the end of the data. For example...

    "this is an unescaped string containing " a quotation mark"

The MySQL parser will see the " in the middle and decide that that's the end of the data. However...

    "this is an escaped string containing \" a quotation mark"

The parser will see the \ before the " and that tells it the quote is part of the data. Because the \ is only there to tell it that it doesn't get left in the data when it's pushed into the database.

But escaping quotes (i.e. addslashes) is not enough to protect against SQL injection, and neither is mysql_real_escape_string as Shawn suggested. Prepared statements are the best option.

-Stuart

-- 
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux