SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast owentech's Avatar
    Join Date
    Apr 2006
    Location
    Nairobi, Kenya
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Addslashes, Stripslashes, Magic Quotes and Stuff

    Hi,
    I have fairly simple (I think) problem, but the documentation i read does not seem very straight-forward:
    I have a site that is supposed to work as follows:
    1) Users (log in and) type articles into a form, complete with formatting (Bold, italics, links etc)
    2) Users submit the articles which are inserted in a (MySQL database) table
    3) (An Admin logs in, approve articles then) other users can read the articles.

    My question is, when do I add slashes, strip them, use magic quotes, use htmlspecialchars, mysql_real_escape string, etc?

    PHP developers seem to dislike the magic_quotes, and the rest of the documentation does not seem to say that I should strip the slashes if they were added.
    I also read that the slashes don't get stored in the database, so what's the point of adding them?

    Or if magic-quotes is on, can I just leave things as they are?

    Please advise.
    Thanks
    Abe
    Life is too short to think small - John Mason
    What is any life if not the pursuit of a dream? - Vanilla Sky
    PHP Membership Script

  2. #2
    SitePoint Enthusiast
    Join Date
    Jun 2007
    Location
    Bristol, England
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You are right in saying slashes are not inserted into the database (when used to actually escape data), but storage is not the problem. You need to escape data being sent to a database to ensure that it is not tainted; i.e. not doing anything naughty. Consider the following:

    Code:
    select `username` from `user` where `column` = 'abc123'; drop table `user`#
    There we can see someone passed in a tainted string, the string being:

    Code:
    abc123'; drop table `user`#
    We have closed the enclosed string, ended the query with a semi-colon, and then dropped the table. The end is a hash to comment out everything after that to avoid any errors.

    Essentially, you will want to turn off magic_quotes, run ALL user submitted input through mysql_real_escape_string, and run ALL output through htmlentitites() to avoid XSS and the such attacks.

    You will want to allow some HTML though, as you mentioned bold, italic, etc tags. This can be achieved via a string formatting plugin. Some are htmlPurifier, and one I recently stumbled across, StringParser_BBCode which is particularly cool.

  3. #3
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    excellent post christopher. welcome to sitepoint.

    the only thing i would add is that in the normal course of writing a php/mysql application, you should generally never need to stripslashes(). if you find that you need to, go back and look because you're probably over-quoting/slashing the string. you only need to quote/slash a string ONCE.

  4. #4
    SitePoint Enthusiast owentech's Avatar
    Join Date
    Apr 2006
    Location
    Nairobi, Kenya
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Christopher Hill View Post
    You are right in saying slashes are not inserted into the database (when used to actually escape data), but storage is not the problem. You need to escape data being sent to a database to ensure that it is not tainted; i.e. not doing anything naughty. Consider the following:

    Code:
    select `username` from `user` where `column` = 'abc123'; drop table `user`#
    There we can see someone passed in a tainted string, the string being:

    Code:
    abc123'; drop table `user`#
    We have closed the enclosed string, ended the query with a semi-colon, and then dropped the table. The end is a hash to comment out everything after that to avoid any errors.

    Essentially, you will want to turn off magic_quotes, run ALL user submitted input through mysql_real_escape_string, and run ALL output through htmlentitites() to avoid XSS and the such attacks.

    You will want to allow some HTML though, as you mentioned bold, italic, etc tags. This can be achieved via a string formatting plugin. Some are htmlPurifier, and one I recently stumbled across, StringParser_BBCode which is particularly cool.
    Thank you very much! Your example is much clearer than the others I have seen.
    I will now read the manual afresh with that in mind.

    Abe
    Life is too short to think small - John Mason
    What is any life if not the pursuit of a dream? - Vanilla Sky
    PHP Membership Script

  5. #5
    SitePoint Enthusiast owentech's Avatar
    Join Date
    Apr 2006
    Location
    Nairobi, Kenya
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by longneck View Post
    excellent post christopher. welcome to sitepoint.

    the only thing i would add is that in the normal course of writing a php/mysql application, you should generally never need to stripslashes(). if you find that you need to, go back and look because you're probably over-quoting/slashing the string. you only need to quote/slash a string ONCE.
    Thanks for saying it directly.
    Most documentation merely implied that. I guess that also ties in with the fact that the slashes, if correctly done, are normally not stored in the database.

    Abe
    Life is too short to think small - John Mason
    What is any life if not the pursuit of a dream? - Vanilla Sky
    PHP Membership Script

  6. #6
    SitePoint Enthusiast
    Join Date
    Mar 2007
    Posts
    89
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    letting some html tags using the optional parameter in strip_tags is not acceptable. You have to make your own function to validate tags or use bbcode. cause if you want to let users use <b> tags for instance. letting <b> tags though with strip_tags you would do
    Code PHP:
    strip_tags($content, '<b>')

    and it would let this through just fine
    Code PHP:
    <b style="font-size:900px;">hi</b>

    no good.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •