Re: [PHP] is it safe to stripslashes() on all form variables?

[Yasuo Ohgaki]

Previous post does not address how to avoid making this kind of security hole. Anyway, if anyone want to avoid creating security hole like this. Do not stripslashes() added by magic_quote. If you use stripslashes(), use addslashes() again. If you do not use magic_quote, use addslashes() before feeding to database, shell or whatever that might be dangerous w/o slashes. Disabling magic quote will reduce amount of code and increase performance a little, unless application is very small. Without magic_quote, script does not have to get rid of slashes to use value from browser and add slashes again before feeding to database. Code would be cleaner and easier to read also. (Especially for programmers are not used to PHP.) Hope this helps someone. -- Yasuo Ohgaki ""Yasuo Ohgaki"" <[EMAIL PROTECTED]> wrote in message 9bg8tl$rvl$[EMAIL PROTECTED]">news:9bg8tl$rvl$[EMAIL PROTECTED]... > If you strip slashes, it will make a security hole. > > For example, > > SELECT * FROM tablename WHERE name = '$name'; > what if $name is > \'garbage\';DROP TABLE tablename;SELECT \'something > > After stripslashes($name) > SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT > 'something'; > > Regards, > -- > Yasuo Ohgaki > > > ""Noah Spitzer-Williams"" <[EMAIL PROTECTED]> wrote in message > 9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL PROTECTED]... > > would there be any problems caused if i used the stripslashes() function on > > all posted variables from a form to eliminate sql query errors? > > > > - Noah > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]