What to use .. add/strip slashes

[ShaolinF]

Ok, I am not sure where to use these but from the little I know it is to prevent attempted hackers.

 

1. Which one should I use when checking usernames/passwords, email, contact no etc ?

2. When inserting data into a table like email, contact no, usernames, passwords, additional infomation etc what function should I use ?

[ShaolinF]

bump

[cooldude832]

truthful answer is never.  They are built around the principle of magic_quotes which when properly configed slashes are not an issue.

[Bauer418]

You should run something like this on your scripts:

 

<?php
if (get_magic_quotes_gpc())
{
   foreach ($_POST as $key=>$val)
   {
       $_POST[$key] = stripslashes($val);
   }
}
?>

As the automatic adding of slashes to posted data is so ridiculously useless if you're going to take proper coding measures.  Once you have no slashes on any of your input, run your data through mysql_escape_string/mysql_real_escape_string before inserting it into your DB, or through htmlentities before printing it through HTML.

[Philip]

Well, actually, if you look at the PHP manual for magic_quotes:

This feature is DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

 

Reasons:

• Portability  Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
  
• Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
  
• Inconvenience Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

 

Maybe I'm wrong because I still see so many people here using that, but I still use addslashes/stripslashes

[cooldude832]

you shouldn't be able to alter a superglobal (its bad practice even if you can)

 

you should recall it to a new variable

define("Should_I_Strip", 1);
if(Should_I_Strip != 0){
foreach($_POST as $key=> $value){
  $postdata[$key] = stripslashes($value);
}
}
else{
foreach($_POST as $key=> $value){
  $postdata[$key] = $value;
}
}
?>

 

It really don't matter if you strip when you don't need to cause it won't do anything, but isn't good practice

 

 

 

Edit:

 

As stated it is going away in php6, but for the most part ppl still have to deal with it in 4

[valtido]

well there is another way loool  i came across once

 

foreach($_request as $val){

$val = stripslashes($val);

}

 

 

Or something similar basically what that does is that it will check all the input data dont matter if it is a password or username if it has illegal characters or things like that then it will correct them.

 

 

I cnt remember it  off by heart loool but im sure if u google it u will get somewhere

[valtido]

welll cooldude832  is more accurate loool and we musta posted it at the same time loool

[Bauer418]

you shouldn't be able to alter a superglobal (its bad practice even if you can)

...

As stated it is going away in php6, but for the most part ppl still have to deal with it in 4

Modifying the $_POST superglobal for simply removing slashes has never bothered me.

 

As for magic_quotes, it's simply useless.  If you're taking proper coding measures, you shouldn't rely on it anyways.

[cooldude832]

its the principle that a Superglobal variable is suppose to be something given to you from the server to use.

 

Its like in a chem lab when you get a sample out of a bottle you dont' stick your dirty pipettes in the communal container, you take a small bit it your own beaker to work with.

 

Just like how you shouldn't dirty the superglobals for your own needs when it might need to be undiritied later.

[ShaolinF]

Mixed messages. The reason I planned on doing this was to protect the system from hackers. Are their other more effective ways ?

[cooldude832]

how are a few slashes going to protect you from hackers

 

You are talking very broad here narrow down your goals

[valtido]

well jus research lool how hackerrs find ways to hack php and you have alot of information on the internet to tackle this.

 

and wots best to use.

[ShaolinF]

how are a few slashes going to protect you from hackers

 

You are talking very broad here narrow down your goals

Well, I'm talking about entering malicious code into textfields to retreive data from the DB etc

[cooldude832]

I don't think you know how a hacker works so do some research before you make assumptions

 

 

Addslashes is an escaping function

[Bauer418]

I don't think you know how a hacker works so do some research before you make assumptions

 

 

Addslashes is an escaping function

To prevent execution of malicious code in many cases.  So actually, he does know what he's talking about, and he's asking a simple question.

 

My experience: I have coded several websites, some for personal use, and some for corporate offices.  I have never relied on magic_quotes_gpc to do my work for me, and have always either disabled it or counteracted it.  With the proper use of htmlspecialchars and mysql_real_escape_string as needed, I have never had a problem.  The trick isn't finding the most foolproof way to protect your data, it's making sure you understand what could be done with each line of code written.  You don't need slashes if the data is purely handled by PHP and deleted.  You'll want slashes if you enter into a database to prevent the user from modifying your query.