Problem with addslashes and stripslashes

i’m running this script on my testing server on local machine. From what i can tell get magic quotes it not turned on (code below is used to checK)


if(get_magic_quotes_gpc())
	echo "Magic quotes are enabled";
else
	echo "Magic quotes are disabled";

Anyways i use addslashes to escape apostraphes and slashes before inserting them into a mySQL database. However, when i try to unescape them using stripslashes, it doesnt seem to be having an effect.

the following is a snippet of code that acts on a MySQL query result. I’m attempting to stripslashes but it’s not working. When this query string is passed back to Javascript via Ajax, some things are still escaped when i output the JSON string to an alert box. For example, i call addslashes before inserting 1/2 into database, when i retrieve it through ajax via this script and use stripslashes, in an alert box it is still appearing as “1\/2”.


	if ( $returnVar->select == "yes" ) {
		$arr = NULL;

		if ($result)
			$num_results = mysqli_num_rows($result);
		else
			$num_results = 0;

		for ($i = 0; $i < $num_results; $i++) {
			$row = mysqli_fetch_assoc($result);
			foreach ( $row as $current ) {
				$current = stripslashes($current);
			}
			$arr[$i] = $row;
		} 
		$returnVar->items = $num_results;
		

	}

$z = rawurlencode(json_encode($returnVar));
echo $z;

i then retrieve $z using AJAX call.

Also, the string " Honey Nut O’s Cereal " is successfully inserted into database after calling addslashes on it. when its retrieved via the above snippet and output to a table cell in Html using JS, it appears the slash is gone. It also appears gone if i call an alert box on AJAX response string (but slash is sitll present in “1\/2” which i cannot figure out.) But when i then take the value from the table cell ( by using innerHTML ) and try to insert it back into the database, after calling addslashes it goes from having 0 slashes to 2 slashes!! wtf pls help cannot figure this out.

you already made a major mistake. You are using the WRONG function for escaping input for an SQL query. You are open to SQL-Injection attacks which have been plaguing the security-news for that past few months. Use MySQL’s own escaping function, or use prepared statements provided by MySQLi or PDO.

So it is clear. DO NOT USE addslashes FOR ESCAPING INPUT TO THE DATABASE. Alright? Good.

whoa ok jackass…

and that function would be?

Right there. Read the PHP manual.

Using prepare statements makes SQL injection impossible.

It is still at least possible in theory for injection to occur even if you use mysql_real_escape_string() and so you can improve on security by abandoning that and using prepare statements instead.

Is there an article anyone can point me to that explains in detail how to bypass mysql_real_esape_string() and carry out an injection attack?

Some examples: SQL injection - Wikipedia, the free encyclopedia

The PHP documentation: PHP: mysql_real_escape_string - Manual

The only thing that protects you from are injected statements with quotes. Statements without quotes might be able to slip in without proper filtering/validation on user input or GET parameters.

Beyond discussing measures of prevention and security, we don’t typically get into hacking on these forums.

Basically injection is possible anywhere that you have code and data jumbled together - all that is required is to enter data that looks like code.

To make sure it can’t happen you need to keep the code and data completely separate. You can do this with SQL by using a prepare statement to define the code and a bind statement to attach the data.