Jump to content

[SOLVED] Escape String VS Trim VS Strip Slashes.

Stryves

By Stryves
in PHP Coding Help

 Share

Recommended Posts

Stryves Member

Stryves

Posted
Posted

Ok, honestly, my head hurts.

 

I've been reviewing all of the different types of sql injection protection, and I can't seem to really find a comparison on what's the best to use.

 

I've heard MySQL real escape string is dated, and really isn't as useful anymore.

 

The reason I need it, is I allow users to add comments to pages, or add a bio of themselves, and I just want to ensure that they can't mess up my database.

 

Any suggestions on what should be used to protect when using PHP?

premiso Regular Member

premiso

Posted
Posted

mysql_real_escape_string is not really equivelent to strip_slashes as removing slashes could potentionally allow people to harm the database, I think you were thinking of add_slashes

 

The rule of thumb is you should never have to use strip_slashes on data coming out of a database.

 

Trim works well with everything and should not screw up data.

 

As for mysql escape string being outdated that is just bologna, it still works great against SQL Injection to this day.

marcus Regular Member

marcus

Posted
Posted

mysql_real_escape_string will add backslashes to unwanted and possibly bad characters. (the best)

trim doesn't really do much but turn "  something  " into "something" by removing the spaces and tabs around it.

stripslashes is bad when tryin to protect your data in URLs, why? because if they found out you used just stripslashes on your variables and nothing else then they would simply just add slashes to be removed.

 

function protect($input){
     return mysql_real_escape_string(trim(strip_tags($input)));
}

 

imo that's sufficient.

Stryves Member

Stryves

Posted
  • Author
Posted

As always, I really appreciate everyones help.

 

My code is:

<?php

$subject=$_POST['subject'];
$comment=$_POST['comment'];

$postcomment="UPDATE comments SET subject='$subject', comment='$comment' where ID='$userID'";

mysql_query($postcomment) or die("Failed");
?>

 

Would it be this with the protection:

<?php

function protect($subject){
     return mysql_real_escape_string(trim(strip_tags($subject)));
}

function protect($comment){
     return mysql_real_escape_string(trim(strip_tags($comment)));
}

$subject=$_POST['subject'];
$comment=$_POST['comment'];

$postcomment="UPDATE comments SET subject='$subject', comment='$comment' where ID='$userID'";

mysql_query($postcomment) or die("Failed");
?>

 

Oh and ignore the UPDATE, I know it should be INSERT when adding a comment, I just was writing some code to understand how to use function in this case.

Stryves Member

Stryves

Posted
  • Author
Posted

Thank you, I'm not normally this slow, I swear.

 

I looked up trim to understand it better again, and it appears it only removes the excess before and after the actual string, so that would be safe for a comment.

 

Security paranoia is a bad thing. :)

premiso Regular Member

premiso

Posted
Posted

Keep in mind, the only time you want to really use stripslashes is when you're outputting data from your database.

 

Not true. If done right, you should never have to use stripslashes on data coming out of a database. This is why addslashes is bad, because you never really know how many times you must strip_slashes. That is why mysql_real_escape_string  is the preferred method, you do not have to strip the slashes because they are removed as the content is entered into the DB.

 

A prime example of this is when you display content on a page like so:

 

<?php
    $file = "I am displaying \" double quote that has been escaped";
    echo $file;
    
?>

 

As you can see a properly escaped character has the escape character removed when displayed.  This principle applies to a database in this same manner. It removes the escaping slashes so the data is displayed as it literally should be.

 

The reason some people use strip_slashes is because they add extra escapes to their content, especially if get_magic_quotes_gpc is turned on and when the post data comes in they call add_slashes on that data, it will double up the slashes requireing them to be removed because an escaped slash displays that slash if that makes any sense.

 

When you use the mysql_real_escape_String it is smart enough not to do this to escaping characters.

zoonose Newbie

zoonose

Posted
Posted

Ok, honestly, my head hurts.

 

I've been reviewing all of the different types of sql injection protection, and I can't seem to really find a comparison on what's the best to use.

 

I've heard MySQL real escape string is dated, and really isn't as useful anymore.

 

The reason I need it, is I allow users to add comments to pages, or add a bio of themselves, and I just want to ensure that they can't mess up my database.

 

Any suggestions on what should be used to protect when using PHP?

 

From my very *limited* knowledge, the only reason real_escape_string would be dated is with the use of MySQLi and object orientated queries using MySQLi - !!

 

Check out the the 'security tutorial' on freaks and it will explain the details....

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.