CODEWITHSUNDEEP
phpmysqlsqldatabasecode-injection
matthewdaniel
matthewdaniel

Reputation: 1476

does addslashes(stripslashes($field)) guarantee sql injection invulnerability?

Minus the whole addslashes() vs mysqli_real_escape_string() argumentation will stripping then adding slashes guarantee sql injection invulverability? Will this alter the data in anyway, for example displaying the string with double slashes after fetching it from the database?

Upvotes: 0

Views: 3278

Answers (5)

mhughes
mhughes

Reputation: 630

NO use: mysql_real_escape_string.

Why: you are not considering a ton of issues, mainly encoding of strings, etc...

Upvotes: 1

Abe Petrillo
Abe Petrillo

Reputation: 2447

addslashes() will protect you in most cases. As for the getting the output, it depends how your submitting it, if you do

$input = addslashes("Bob's shoes")

you'll get Bob\'s shoes.

When you put this in your database

insert into tbl (txt) values (Bob\'s shoes)

The output of 

select txt from tbl

will be Bob's shoes as you intended, the slashes are removed by the sql on insert.

If your anal about it you can say add other precautions, but if you want a quick and easy thing that's not a ridiculously secure website it should be fine. there's also built in php sanitize functions if you look them up

Upvotes: 0

rockerest
rockerest

Reputation: 10518

Escaping characters (addslashes()) may protect you from SQL Injection. I'm not an expert on how to sanitize inputs, and here's why:

I skipped the whole "sanitizing" thing and went straight to prepared statements. Sanitizing / escaping means you have to do the reverse on the output side, which means double the effort every time, and double the chances to mess up somewhere - allowing bad input in. If you just plop the PDO between every database query you do and the database itself, your worries are over.

That's not to say, of course, that the PDO protects you from attacks like CSRF or XSS, but the actual stored values are SQL-injection-safe, and you can strip html or whatever you need to do before you store it to protect from attacks like those.

Upvotes: 1

Christian Smorra
Christian Smorra

Reputation: 1754

so what you want to do is

$input='bla" SELECT * FROM blabla"';
$escaped=stripslashes(addslashes($input));

in that case 

$input==$escaped is true

so no this would probably do nothing thats why you should prefer mysql_real_escape_string

Upvotes: 1

Traveling_Monk
Traveling_Monk

Reputation: 788

No, having the right amount of slashes helps with some vulnerabilities, but you still need to check user input. There is no guarantee sql injection invulnerability, ever.

Upvotes: 0

Related Questions