Addslashes, Stripslashes, Magic Quotes and Stuff

**owentech** · Jul 12, 2007 08:57

Hi,
I have fairly simple (I think) problem, but the documentation i read does not seem very straight-forward:
I have a site that is supposed to work as follows:
1) Users (log in and) type articles into a form, complete with formatting (Bold, italics, links etc)
2) Users submit the articles which are inserted in a (MySQL database) table
3) (An Admin logs in, approve articles then) other users can read the articles.

My question is, when do I add slashes, strip them, use magic quotes, use htmlspecialchars, mysql_real_escape string, etc?

PHP developers seem to dislike the magic_quotes, and the rest of the documentation does not seem to say that I should strip the slashes if they were added.
I also read that the slashes don't get stored in the database, so what's the point of adding them?

Or if magic-quotes is on, can I just leave things as they are?

Please advise.
Thanks
Abe

**Christopher Hill** · Jul 12, 2007 09:55

You are right in saying slashes are not inserted into the database (when used to actually escape data), but storage is not the problem. You need to escape data being sent to a database to ensure that it is not tainted; i.e. not doing anything naughty. Consider the following:

Code:

select `username` from `user` where `column` = 'abc123'; drop table `user`#

There we can see someone passed in a tainted string, the string being:

Code:

abc123'; drop table `user`#

We have closed the enclosed string, ended the query with a semi-colon, and then dropped the table. The end is a hash to comment out everything after that to avoid any errors.

Essentially, you will want to turn off magic_quotes, run ALL user submitted input through mysql_real_escape_string, and run ALL output through htmlentitites() to avoid XSS and the such attacks.

You will want to allow some HTML though, as you mentioned bold, italic, etc tags. This can be achieved via a string formatting plugin. Some are htmlPurifier, and one I recently stumbled across, StringParser_BBCode which is particularly cool.

**longneck** · Jul 12, 2007 10:23

excellent post christopher. welcome to sitepoint.

the only thing i would add is that in the normal course of writing a php/mysql application, you should generally never need to stripslashes(). if you find that you need to, go back and look because you're probably over-quoting/slashing the string. you only need to quote/slash a string ONCE.

**owentech** · Jul 12, 2007 22:52

Originally Posted by Christopher Hill

You are right in saying slashes are not inserted into the database (when used to actually escape data), but storage is not the problem. You need to escape data being sent to a database to ensure that it is not tainted; i.e. not doing anything naughty. Consider the following:

Code:

select `username` from `user` where `column` = 'abc123'; drop table `user`#

There we can see someone passed in a tainted string, the string being:

Code:

abc123'; drop table `user`#

We have closed the enclosed string, ended the query with a semi-colon, and then dropped the table. The end is a hash to comment out everything after that to avoid any errors.

Essentially, you will want to turn off magic_quotes, run ALL user submitted input through mysql_real_escape_string, and run ALL output through htmlentitites() to avoid XSS and the such attacks.

You will want to allow some HTML though, as you mentioned bold, italic, etc tags. This can be achieved via a string formatting plugin. Some are htmlPurifier, and one I recently stumbled across, StringParser_BBCode which is particularly cool.

Thank you very much! Your example is much clearer than the others I have seen.
I will now read the manual afresh with that in mind.

Abe

**owentech** · Jul 12, 2007 22:57

Originally Posted by longneck

excellent post christopher. welcome to sitepoint.

the only thing i would add is that in the normal course of writing a php/mysql application, you should generally never need to stripslashes(). if you find that you need to, go back and look because you're probably over-quoting/slashing the string. you only need to quote/slash a string ONCE.

Thanks for saying it directly.
Most documentation merely implied that. I guess that also ties in with the fact that the slashes, if correctly done, are normally not stored in the database.

Abe

**Tom Brokaw** · Jul 13, 2007 00:32

letting some html tags using the optional parameter in strip_tags is not acceptable. You have to make your own function to validate tags or use bbcode. cause if you want to let users use <b> tags for instance. letting <b> tags though with strip_tags you would do

Code PHP:

strip_tags($content, '<b>')

and it would let this through just fine

Code PHP:

<b style="font-size:900px;">hi</b>

no good.

User Tag List

Thread: Addslashes, Stripslashes, Magic Quotes and Stuff

Thread Tools

Display

Addslashes, Stripslashes, Magic Quotes and Stuff

Bookmarks

Bookmarks

Posting Permissions