Trying to understand form security using addslashes, get_magic_quotes and ...

[suttercain]

Trying to understand form security using addslashes, get_magic_quotes and mysql_escape_string.

 

Hello everyone,

 

You'll have to excuse my ignorance. I understand that when making a database we want it to my secure so that no outside hackers can inject it with malicious code causing the addition or deletion of records, etc.

 

The reason I am on this subject is that I read another post with the subject "Just Got Hacked" and that got me nervous.

 

I have forms that users use to submit data should i be using all three: addslashes, get_magic_quotes and mysql_escape_string?

 

I know that how addslashes and mysql_escape_string work but I am trying to get my head around get_magic_quotes.

 

Also if I have this code:

 

$string = "Bill O'Reilly is a douchebag.";
$value = addslashes($string)
("INSERT into (column) VALUES ($value)")

 

That will place Bill O\'Reilly is a douchebag in to the database.

 

Is it safe, when pulling the information from the database, to display in a browser as such:

 

$value = stripslashes($string);
echo $value;

 

Thanks for any advice or quick explanations of why it's a good idea to use this functions and which one or ones I should always use.

 

 

SC

[per1os]

The get_magic_quotes tells you whether or not the form data is escaped. If get_magic_quotes is on there is no need for adding slashes or doign the mysql_real_escape as the data should already be escaped.

 

Add slashes is not desireable at all. You can search for addslashes on google for many explanations.

 

The goal is you should NEVER have to strip slashes when retrieving from a database.

 

 

[suttercain]

Hi Frost,

 

Thanks for the info. I just tried one of my forms and did entered Shannon"

 

and on the preview page it echoed Shannon\"

 

then after I submit it from the preview page it echoed Shannon\\"

 

When I looked at the data that was entered into the database it showed Shannon\"

 

When I echoed the row from the database it echoed Shannon\"

 

 

This is where my curiosity comes in: I want the data to look proper on all pages: The preview, the submitted verification page and also when retrieving the data from the database.

 

How is this possible while  still making the form secure?

 

 

[jscix]

basically what you want to do is be as sure as possible, that what is to be saved to your database is what you intend. Anywhere that user-input is allowed, you assume the worst and filter, parse and examine everything.

 

I'd recommend reading "Essential PHP Security" by chris shiftlett (o'reilly)

[per1os]

<?php
if (!get_magic_quotes_gpc()) {
    // add the slashes
    $_POST['username'] = addslashes($_POST['username']);
}

// do query insert here
?>

 

If you add slashes while get the get magic quotes is on it basicaly DOUBLE escapes the string, which would explain why the DB has the slashes. However if you do it like the above the slashes get escaped and when they are in the DB it should not show them.

 

Now if you are just printing the value straight from post, you would need to strip_slashes, but be wary of the addslashes(); because if done to many times you eventually have to strip_slashes 5 times to unescape, that is not desired at all.

 

http://www.thescripts.com/forum/thread11103.html

 

[suttercain]

Cool, I am starting to understand. Thanks for your time Frost and JSCIX.

 

SC