1

Possible Duplicate:
Best way to stop SQL Injection in PHP

I'm curious what all functions I should run on a text string that's a quote before I store it in my database.

I want to handle it if it has single quotes contained in it as well as other double quotes or anything else.

Community
  • 1
  • 1
Jeff Davidson
  • 1,921
  • 7
  • 36
  • 60

3 Answers3

3

From the most effective to the least, there are four things you can do (I'm assuming MySQL here, as it's the most common combination with PHP):

  • Use parametrized queries and you'd be spared this whole "escaping" ordeal.
  • If parametrized queries are not an option, use mysql_real_escape_string().
  • addslashes() and stripslashes() might be effective in specific circumstances - but do not use them unless you know exactly what you're doing and unless you're certain that it won't make your code vulnerable to multi-byte injection attacks.
  • Approaches like "stripping out whitespace" are completely useless here. "Cargo-cult programming", you might call that.
Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
1

Use mysql_real_escape_string() if you use MySQL.

-2

in terms of php you should use trim() and stripslashes() and if you are using mysql then mysql_real_escape_string()

you can use them in this order:

first stripslashes() then

trim() then

mysql_real_escape_string()
Peeyush
  • 4,728
  • 16
  • 64
  • 92
  • So your saying mysql_real_escape_string(trim(stripslashes($quote)))? – Jeff Davidson Apr 22 '12 at 17:07
  • why -1 can you please tell me the reason? – Peeyush Apr 22 '12 at 17:07
  • @user1333299 yes,sort of this kind,if it works for you – Peeyush Apr 22 '12 at 17:09
  • @user1333299 you should use trim() if you are not sure about that the input string's unnecessary white space at the start & at the end – Peeyush Apr 22 '12 at 17:14
  • "This answer is not useful", as it says on the down arrow. What problems, do `stripslashes` and `trim` solve in this case? – Piskvor left the building Apr 22 '12 at 17:19
  • @Piskvor by using trim() you can be on safe side in case,if you are taking input from user side .I mean to say that you can remove white spaces – Peeyush Apr 22 '12 at 17:20
  • Yes, I know what `trim()` does; it's unclear to me *why* should I do that. Are you claiming that whitespace is unsafe? How exactly? Any examples? – Piskvor left the building Apr 22 '12 at 17:21
  • @Piskvor i am not saying that it is a security breach,i am just saying that it's a good practice to use trim() – Peeyush Apr 22 '12 at 17:25
  • 2
    No, it's not a "good practice". If you seriously claim that whitespace should be stripped "just to be on the safe side", as it's (in your opinion) potentially dangerous. I suggest that you don't go near any database, at all, "just to be on the safe side". They're dangerous things, y'know. (As for `stripslashes()`, now that's pure cargo-cult: applying that function going *from* application layer *to* database layer won't make the string "safer", plus it will introduce a host of other problems.) – Piskvor left the building Apr 22 '12 at 17:25