3

I am testing how secure is to use stripslashes()

I tried the following :

  $str = chr(0xbf) . chr(0x27);

  var_dump(stripslashes($str)); // string(2) " �' "

Then I changed it to this :

  $str = $_POST['input']; // %bf%27;

  var_dump(stripslashes($str)); // string(3) " �'' "

Then I used curl to send input data :

  curl_setopt($ch, CURLOPT_POSTFIELDS, 'input=' . chr(0xbf) . chr(0x27));

but again result was : string(3) " �'' "

Is it possible to get result as in First example when data is received from another server? Will it be secure to use stripslashes() ?

John
  • 7,500
  • 16
  • 62
  • 95
  • consider reading examples given in following link: http://php.net/manual/en/function.stripslashes.php – Harpreet Apr 07 '13 at 10:29
  • Where does the second single quote come from? – Gumbo Apr 07 '13 at 10:30
  • Also take a read on "PHP: the Right Way" about data filtering if you are think of ways to sanitize your code http://www.phptherightway.com/#security – medina Apr 07 '13 at 10:34

1 Answers1

0

You're asking two questions here:

On the security of stripslashes

stripslashes() is not really a secure way of handling input (that goes to a database, i assume). There are too many variables involved, like

  • Target Database System
  • Encoding of the database connection
  • Easy-to-miss programmer errors

On receiving POST data

Try the following file. It should serve as a basic test case for what you are investigating. I so far cannot reproduce the problem that you described.

test.php

<html>
<head></head>
<body>
<form method="POST" action="test.php">
<input type="text" name="input"></input>
<input type="submit" value="Submit"></input>
</form>

<?php 

$string = chr(0xbf) . chr(0x27); // yields string '¿'' (length=2)
$input = $_POST['input'];

foreach (array($string, $input) as $s) {
  var_dump(stripslashes($s));
  var_dump($s);
}

?>
</html>

The results that you get strongly point to an encoding problem.

likeitlikeit
  • 5,563
  • 5
  • 42
  • 56