PHP escaping data

therockers · January 16, 2014, 3:58pm

Hello, I have a question.
So when I escape my data, quotations and apostrophes get backslashes.
Now if I replace the backslash with an empty character, would it be safe or would it break the rules of escaping the data?

Something like this.

<?php
// Include database
include('config.php');

$id = $mysqli->real_escape_string($_GET['id']);

$query = $mysqli->query("SELECT * FROM random_table WHERE id = '$id'");

while($row = $query->fetch_array(MYSQLI_BOTH)) {
$description =  $mysqli->real_escape_string($row['description']);
$description_array = array('\\"' => '"', "\\'" => "'");
$description_replaced = strtr($description, $description_array);

// echo out the replaced data
echo $description_replaced;
}
?>

If the data in the row had a description of

Hello, I'm the admin of this website. I would love for you guys to try this out. My main quote is "Do what you can, not what you can't".

If you were to just output the description without escaping it. It would be

Hello, I'm the admin of this website. I would love for you guys to try this out. My main quote is "Do what you can, not what you can't".

But if you escaped the data, it would be

Hello, I\\'m the admin of this website. I would love for you guys to try this out. My main quote is \\"Do what you can, not what you can\\'t\\".

So what I’ve done is went and replaced the backslash with just the original content. So it would look like it was never escaped.
Does this break the escaping rules or is it safe to do so? I just was wondering since the data has already been escaped, users can’t query random data from the database. But by replacing the escaped output with replaced array, would it still be possible for them to SQL Inject or query random data?

And yes, I’m still looking into preparing my queries.

Mittineague · January 16, 2014, 4:09pm

If you look at view-source for this page you’ll see

<div class="bbcode_container">
	<div class="bbcode_description">Code:</div>
	<pre class="bbcode_code"style="height:36px;">Hello, I'm the admin of this website. I would love for you guys to try this out. My main quote is &quot;Do what you can, not what you can't&quot;.</pre>
</div>If you were to just output the description without escaping it. It would be<br />
<div class="bbcode_container">
	<div class="bbcode_description">Code:</div>
	<pre class="bbcode_code"style="height:36px;">Hello, I'm the admin of this website. I would love for you guys to try this out. My main quote is &quot;Do what you can, not what you can't&quot;.</pre>
</div>But if you escaped the data, it would be<br />
<div class="bbcode_container">
	<div class="bbcode_description">Code:</div>
	<pre class="bbcode_code"style="height:36px;">Hello, I\\'m the admin of this website. I would love for you guys to try this out. My main quote is \\&quot;Do what you can, not what you can\\'t\\&quot;.</pre>
</div>

Notice how " is the entity

I guess you could remove the backslashes as long as it’s only for text. But if it’s for mark-up or attribute values it could wreak havoc.
So probably better to replace them wth the entity rather than the actual character.

phpdev · January 17, 2014, 4:17pm

You can use stripslashes() to remove the slashes from your text.

The string needs to be escaped when being saved to the database, but for output the slashes are not necessary, hence it’s perfectly safe to remove the slashes when you output the string. However as Mittineague says, you do need to sanitise the string for output. So you could use htmlspecialchars for that. (see http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/ for examples).

felgall · January 17, 2014, 7:56pm

No it doesn’t - provided that you use prepare/bind to keep the SQL and data separate you don’t need to escape it.

If you do jumble the SQL and data together when inserting data into a database you use mysqli_real_escape_string() to escape it and then it will automatically have the slashes removed once they have served their purpose.

Where you use slashes to escape quotes in defining strings you also don’t need to remove them again as PHP will automatically remove them once they have served their purpose. For example:

$a = ’ " \’ " '; // $a will contain " ’ "

only if you misuse slashes in creating strings in PHP will they form part of the content - eg. trying to use one to escape anything other than ’ when the string is enclosed inside ’ (all the other escapes only work when enclosed in " ).

The only time you need to use stripslashes() is where the slashes were added using addslashes().

Usually the slashes end up displaying because you have added them unnecessarily or added them twice.

therockers · January 19, 2014, 6:34am

@Mittineague So what if I have HTML Entities saved in a row and I replace the backslashes with the original content. Along with replacing the HTML Entities with BBCode and if there’s any BBCode in the row, then display the HTML version of the BBCode?

@phpdev So I can output the text with replacing backslashes, but when inserting I must escape the data? The thing I find it difficult is that for some reason, the post size cannot exceed 400 characters for some reason. I’ve tried changing the post size in my php.ini and it just keeps doing the same thing. Same thing with max upload size. When I upload a 5 minute video, it gives me the Error 413 File Size too large. Being said, if I insert original data along with backslashes, it would replace the original content.

Something like

Hello, this is a test paragraph. You must read this entire paragraph in order to complete your task. Your first task will have to do with cleaning. You must clean each and every inch of the room. I'll also like to say that you must wash the dishes. A famous dish washer once said "I started washing dishes for fun, but now I'm doing it for a living." Now go find a lost key. The key is red and dirty.

If you escape the above data and insert backslashes to the escaped data, it would look like this.

Hello, this is a test paragraph. You must read this entire paragraph in order to complete your task. Your first task will have to do with cleaning. You must clean each and every inch of the room. I\\'ll also like to say that you must wash the dishes. A famous dish washer once said \\"I started washing dishes for fun, but now I\\'m doing it for a living.\\" Now go find a lost key. The key is red and di

Notice that “dirty” has been cut off along with the period. I don’t usually escape my message posts because I don’t know if it’ll insert backslashes into the actual data or if it’ll just escape the data so there wouldn’t be any SQL Injections. If I can find a way to allow textareas to post long messages, I would gladly escape all my post messages. Typically what I would do for message rows is use longtext and not text or varchar.

@felgall So if I use addslashes(), it would automatically insert backslashes into the data? I’m still learning how to prepare and escape my data. I don’t know what some of the variables mean and what they do. Like S or something like that. I only saw it a few times.