1

Possible Duplicate:
Best way to defend against mysql injection and cross site scripting
How to include a PHP variable inside a mysql insert statement

I was wondering if anyone had came across the stripslashes statement when getting text from a password field, and if there is any way to do an SQL injection when this is the case?

i.e. in the PHP language you can get text from a password field of a website and pass it through the stripslashes statement to remove any (') so (' OR 1=1 --) becomes (OR 1=1). And makes SQL injections hard to do.

Community
  • 1
  • 1
Raven Danes
  • 37
  • 1
  • 2
  • 1
    If you downvote the question or cast a close vote **explain why**. I think the question is absolutely on topic with the site. – nico Apr 07 '12 at 12:31
  • 4
    Stripslashes strips slashes, not quotes. `' OR 1=1 --` stays `' OR 1=1 --` ... – Konerak Apr 07 '12 at 12:33
  • @nico — Close votes require that a reason be picked. The two people who have voted to close (at the time I have made this comment) have said "Not a real question"). I can see their point, it is not a clearly asked question (and is based on a false premise). – Quentin Apr 07 '12 at 12:33
  • @Quentin: close votes require to choose a reason amongst an handful. It happened to me a few time to choose one just because I had to without actually that being the exact reason. Adding a comment is very useful (and polite) to the poster, who may not be familiar with the ins and outs of the site. It takes five seconds, really. – nico Apr 07 '12 at 12:37
  • This question is much better after the recent edit btw... – Randy Apr 07 '12 at 12:38
  • @nico: This is the 500th Oh-god-I-don't-know-about-the-database-stuff-explain-me-the-escaping question we have on this site. Closing it sans comment is entirely sufficient, in particular if the answers are the same old use m_r_e_s or PDO and prepared statements kind. – mario Apr 07 '12 at 13:26
  • @mario: I perfectly agree with closing for duplicates and I am not saying this is a GOOD question (I have not upvoted it). Howver, I don't about closing without comments. An explication should always be warranted. – nico Apr 07 '12 at 13:54

2 Answers2

3

stripslashes removes slashes (\), which are escape characters, from data, not quotes ('). If anything, it's use will increase the likelihood of an SQL injection vulnerability existing.

To defend against SQL injection use prepared statements and parameterized queries.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Hello. It seems I may have misunderstood the code I was writing. (i'm new to php). mysql_real_escape_string is what i was referring to. – Raven Danes Apr 07 '12 at 13:02
1

stripslashes should not be used for password. Because it might be stripping slashes which users have input intentionally. To prevent sql injection escape according to the rdbms you are using. This will make sure you enter the exact same string user has inputted but escaped so sql injection will not occur.

For mysql use mysql_real_escape_string

Another better option is to use prepared statement. Its available in all the recent database drivers of PHP. The generic algorithm is

  1. Prepare a statement. Usually by prepare function
  2. Bind the values. usually by bind function.
  3. execute the statement. Usually exec function.
Shiplu Mokaddim
  • 56,364
  • 17
  • 141
  • 187
  • 1
    Don't use mysql_real_escape_string, it is too manual and too easy to leave out somewhere by accident. Parameterized queries are better. – Quentin Apr 07 '12 at 12:34