[SOLVED] addslashes()

[JustGotAQuestion]

Why and when would I want to use addslashes()?

[rarebit]

Generally to prevent database injection attacks, have a look at the built in version specifically for mysql, here.

[Fadion]

Adding to the above post, addslashes() is used to escape special characters in any string which is going to be used in a database query. Escaping means adding slashes to those special characters, like quotes, double quotes, backslashes etc. To remove those slashes in a value taken from a database, u use stripslashes(). Actually using mysql_real_escape_string() is advised.

[JustGotAQuestion]

Ok, so to be clear, the following is how i should do things from now on:

 

$what_will_be_inserted = addslashes($_POST['asdf']);

 

Then i can insert. And then to get it out again:

 

$query = mysql(whatever);

$what_will_be_gotten = mysql_real_escape_string($query);

 

 

And this makes things safer?

 

 

[DarkWater]

No.

 

$what_will_be_inserted = mysql_real_escape_string($_POST['asdf']);

 

mysql_real_escape_string is a better REPLACEMENT for addslashes(), not an opposite to it.

 

[alecks]

Consider this query:

 

$query = "SELECT * FROM users WHERE username = ''. $_POST['username'] .''";

 

The user could send "' OR '1'='1" as their username, which would make the query:

 

$query = "SELECT * FROM users WHERE username = '' OR '1'='1' ";

 

Which would always come back as true (not false) if queried. The user could of course do something even more malicious . What mysql_real_escape_string does is add slashes before the quotes, so they are taken literally, not as parts of the query.

 

$query = "SELECT * FROM users WHERE username = '\' OR \'1\'=\'1\''";

 

In this query where the input is escaped the username would have to be "' OR '1'='1" in order for the query to come back as true (not false).

[JustGotAQuestion]

Ah, now I get what it does, thanks. And so i need to use mysql_real_escape_string instead of addslashes(); and stripslashes(); to get it back.

 

Thanks again.

[JustGotAQuestion]

Heres a bit of a more specific question. Why doesn't this work?

 

$sql_recentnews = stripslashes(mysql_query("SELECT * FROM news ORDER BY timestamp DESC LIMIT 0 , " . $rpp));
while($topic=mysql_fetch_array($sql_recentnews)){
echo "<li class='recent_news_li'><span class='recent_news_topic'><a href='news.php?page=viewtopic&id=" . $topic['id'] . "'>" . $topic['title'] . "</a></span>";
}

 

I get this error:

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/asdfdsa/public_html/testing123/index.php on line 69

[DarkWater]

You need to use stripslashes on the actual output, not the query....

 

$sql_recentnews = mysql_query("SELECT * FROM news ORDER BY timestamp DESC LIMIT 0 , " . $rpp);

while($topic=mysql_fetch_array($sql_recentnews)){

echo "<li class='recent_news_li'><span class='recent_news_topic'><a href='news.php?page=viewtopic&id=" . $topic['id'] . "'>" . stripslashes($topic['title']) . "</a></span>";

}

 

Look at what I did.

[JustGotAQuestion]

Oh, cool. So stripslashes from the output, not the query. Now, why didn't you stripslashes from the id as well? (was there a reason or was that just "because"?)

[DarkWater]

There won't be any slashes in an ID...it's just a number.  That's automatically made by MySQL (it's auto-incrementing, I presume)...so there won't be any malicious things to be escaped.

[JustGotAQuestion]

Ok, so i should hold off in slashing and unslashing the id's. Got it. And now that i think about it, the id adds itself, so i couldn't slash it even if i wanted too. No point in unslashing it.

 

By the way, i got everything working with the slashes now. Thanks.