[SOLVED] Escape String VS Trim VS Strip Slashes.

[Stryves]

Ok, honestly, my head hurts.

 

I've been reviewing all of the different types of sql injection protection, and I can't seem to really find a comparison on what's the best to use.

 

I've heard MySQL real escape string is dated, and really isn't as useful anymore.

 

The reason I need it, is I allow users to add comments to pages, or add a bio of themselves, and I just want to ensure that they can't mess up my database.

 

Any suggestions on what should be used to protect when using PHP?

[premiso]

mysql_real_escape_string is not really equivelent to strip_slashes as removing slashes could potentionally allow people to harm the database, I think you were thinking of add_slashes

 

The rule of thumb is you should never have to use strip_slashes on data coming out of a database.

 

Trim works well with everything and should not screw up data.

 

As for mysql escape string being outdated that is just bologna, it still works great against SQL Injection to this day.

[marcus]

mysql_real_escape_string will add backslashes to unwanted and possibly bad characters. (the best)

trim doesn't really do much but turn "  something  " into "something" by removing the spaces and tabs around it.

stripslashes is bad when tryin to protect your data in URLs, why? because if they found out you used just stripslashes on your variables and nothing else then they would simply just add slashes to be removed.

 

function protect($input){
     return mysql_real_escape_string(trim(strip_tags($input)));
}

 

imo that's sufficient.

[Stryves]

As always, I really appreciate everyones help.

 

My code is:

<?php

$subject=$_POST['subject'];
$comment=$_POST['comment'];

$postcomment="UPDATE comments SET subject='$subject', comment='$comment' where ID='$userID'";

mysql_query($postcomment) or die("Failed");
?>

 

Would it be this with the protection:

<?php

function protect($subject){
     return mysql_real_escape_string(trim(strip_tags($subject)));
}

function protect($comment){
     return mysql_real_escape_string(trim(strip_tags($comment)));
}

$subject=$_POST['subject'];
$comment=$_POST['comment'];

$postcomment="UPDATE comments SET subject='$subject', comment='$comment' where ID='$userID'";

mysql_query($postcomment) or die("Failed");
?>

 

Oh and ignore the UPDATE, I know it should be INSERT when adding a comment, I just was writing some code to understand how to use function in this case.

[marcus]

You can't redefine a function like that.

 

function protect($input){
     return mysql_real_escape_string(trim(strip_tags($input)));
}

$subject = protect($_POST['subject']);
$comment = protect($_POST['comment']);

[Stryves]

Thank you, I'm not normally this slow, I swear.

 

I looked up trim to understand it better again, and it appears it only removes the excess before and after the actual string, so that would be safe for a comment.

 

Security paranoia is a bad thing.

[marcus]

Keep in mind, the only time you want to really use stripslashes is when you're outputting data from your database.

[Stryves]

So then in my above code where I am inserting data into the database, I could be safe using trim and strip tags?

[marcus]

Yes, you really only need mysel_real_escape_string and trim, to further your protection you could use strip_tags, htmlentities or any form of removing unwanted items when display your data.

[premiso]

Keep in mind, the only time you want to really use stripslashes is when you're outputting data from your database.

 

Not true. If done right, you should never have to use stripslashes on data coming out of a database. This is why addslashes is bad, because you never really know how many times you must strip_slashes. That is why mysql_real_escape_string  is the preferred method, you do not have to strip the slashes because they are removed as the content is entered into the DB.

 

A prime example of this is when you display content on a page like so:

 

<?php
    $file = "I am displaying \" double quote that has been escaped";
    echo $file;
    
?>

 

As you can see a properly escaped character has the escape character removed when displayed.  This principle applies to a database in this same manner. It removes the escaping slashes so the data is displayed as it literally should be.

 

The reason some people use strip_slashes is because they add extra escapes to their content, especially if get_magic_quotes_gpc is turned on and when the post data comes in they call add_slashes on that data, it will double up the slashes requireing them to be removed because an escaped slash displays that slash if that makes any sense.

 

When you use the mysql_real_escape_String it is smart enough not to do this to escaping characters.

[zoonose]

Ok, honestly, my head hurts.

 

I've been reviewing all of the different types of sql injection protection, and I can't seem to really find a comparison on what's the best to use.

 

I've heard MySQL real escape string is dated, and really isn't as useful anymore.

 

The reason I need it, is I allow users to add comments to pages, or add a bio of themselves, and I just want to ensure that they can't mess up my database.

 

Any suggestions on what should be used to protect when using PHP?

 

From my very *limited* knowledge, the only reason real_escape_string would be dated is with the use of MySQLi and object orientated queries using MySQLi - !!

 

Check out the the 'security tutorial' on freaks and it will explain the details....