Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Feb 2009
    Posts
    25
    Thanks
    8
    Thanked 0 Times in 0 Posts

    Question safely adding to a database: mysql_real_escape_string, stripslashes?

    Hi

    I have been using stripslashes() in the following way for all of my SQL queries:


    PHP Code:
    if(get_magic_quotes_gpc()) 
         
    $product_name        stripslashes($_POST['product_name']); 
    I recently came across mysql_real_escape_string. Is it neccessary to use this as well as stripslashes? Or is it one or the other?

    Are there any other functions that should be used before inserting variables into an SQL query?
    Last edited by zachbb; 02-25-2009 at 06:23 PM.

  • #2
    Senior Coder tomws's Avatar
    Join Date
    Nov 2007
    Location
    Arkansas
    Posts
    2,644
    Thanks
    29
    Thanked 330 Times in 326 Posts
    See example 3 on the mysql_real_escape_string man page for best practices.
    Are you a Help Vampire?

  • Users who have thanked tomws for this post:

    zachbb (02-25-2009)

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    To extend you're actual question, yes you do.
    The problem is that mysql_real_escape_string (or the other DB sanitizing methods) are not sensitive to magic_quotes_gpc. For this reason, if you don't perform a stripslashes on it before sanitizing it, it will result in unwanted slashes.
    Example:
    PHP Code:
    // user submitted name: O'Neil
    // With magic_quotes_gpc enabled:
    print $_POST['name']; // O\'Neil
    print mysql_real_escape_string($_POST['name']); // O\\\'Neil <-- Bad to have. 
    So, you need to strip the slashes added by magic_quotes_gpc which removes the escape sequence changing O\'Neil to O'Neil. MySQL_real_escape_string from this point takes care of escaping the slashes (and other characters) to result in O\'Neil which is what you want.

    I have a tutorial in the snippets as well for GPC stripping at a global level. And as I mention in it (its a long block of code), you can do it in as few as... 5 lines of code I think it was, or 8, one of the two.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #4
    New Coder
    Join Date
    Feb 2009
    Posts
    25
    Thanks
    8
    Thanked 0 Times in 0 Posts
    so are you saying that this would not work because extra slashes would be added?

    PHP Code:
          if(!get_magic_quotes_gpc()){
             
    $data addslashes($data);
          }
          
    $data mysql_real_escape_string($data); 
    Zach

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Don't mistaken me, it will still work. The data just would not be desireable.
    The above code would first addslashes to the data, and then it would be escaped by the mysql_real_escape_string. That will always result in O\\\'Neil, and every time data is selected and inserted (minus the possibility of magic_quotes_runtime), you will add one more escape sequence. If you're magic_quotes_runtime is enabled, it would double that up again.
    With that note, also set_magic_quotes_runtime(0). This can be edited on a runtime basis and will prevent escaping of data coming from external resources such as files and sql.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #6
    New Coder
    Join Date
    Feb 2009
    Posts
    25
    Thanks
    8
    Thanked 0 Times in 0 Posts
    I'm a bit confused..

    are you saying that you're supposed to do this to add data:
    PHP Code:
          if(!get_magic_quotes_gpc()){
             
    $data addslashes($data);
          }
          
    $data mysql_real_escape_string($data); 
    and then when you retrieve data from the database, do this:
    PHP Code:
    //get the data and store it in $data
    $data stipslashes($data
    What's the standard way of doing things?

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Other way around, always strip, then escape.
    PHP Code:
    if (@get_magic_quotes_gpc())
    {
        
    $data stripslashes($data); // Removes magic_quotes_gpc slashes
    }
    $data mysql_real_escape_string($data); 
    This is especially important since PHP6 will officially remove magic_quotes_gpc from their settings and can no longer be relied on (finally ). The @ is simply used because I'm not certain if PHP6 will deprecate the get_magic_quotes_gpc function or if they will simply remove it. Either way, this code should still work in PHP6 and will fix it for PHP4 and 5.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •