0

If I quote a variable to prevent SQL injection as such:

$safe_email = $db->quote($_POST['email']);

If $_POST['email'] = abc@example.com

and I do the following:

  echo $safe_email;

I get:

 "abc@example.com"

The PHP Documentation says that the stripslashes function "Un-quotes a quoted string".

However when I use it on my quoted string as such:

echo stripslashes($safe_email);

I still get the string printed out in quotes

What seems to be the problem here? It's still printing out in quotes

Ryman Holmes
  • 746
  • 3
  • 22
  • 40
  • 6
    Parameterized queries: `$stmt = $dbh->prepare("INSERT INTO emails (email) VALUES (?)"); $stmt->execute(array($_POST['email']));` Done. – Sammitch Mar 24 '14 at 20:05
  • 10
    Slashes and quotes aren't the same thing, why would a function called "strip slashes" remove quotation marks? – user229044 Mar 24 '14 at 20:05
  • `stripslashes` removes slashes from (escaped) characters in a string. – gen_Eric Mar 24 '14 at 20:06
  • @meagar The PHP Documentation clearly says "Un-quotes a quoted string"... is that not a quoted string? – Ryman Holmes Mar 24 '14 at 20:07
  • 1
    That seems to be an unfortunate choice of words. It's certainly not the inverse of whatever your `quote` function does. – deceze Mar 24 '14 at 20:07
  • your right, that is a sucky piece of documentation –  Mar 24 '14 at 20:07
  • Well then what is the inverse of the `quote` function? – Ryman Holmes Mar 24 '14 at 20:08
  • 2
    Why do you even have to worry about it if you use something like PDO to pass bound parameters? You can sanitize prior to binding if you wish. – Casey Dwayne Mar 24 '14 at 20:08
  • @kcdwayne Because I need to use the variable to display on a form... Just not with quotes – Ryman Holmes Mar 24 '14 at 20:10
  • 1
    Why are you going through these questions asking about how you can sanitize your inputs so that you can build SQL statements from outside data? **Building SQL statements from outside data is dangerous.** Rather than wasting your time worrying about how you can come up with another halfway thought out "solution", stop and put on your Big Programmer Pants and start using prepared statements and bound variables. Here is a fantastic answer that will get you started: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Andy Lester Mar 24 '14 at 20:10
  • ...You can just pull the variable as a string from the database.. *how exactly are you sending/pulling data from your database?* – Casey Dwayne Mar 24 '14 at 20:14
  • You guys need to take a chill... I only asked a question why get so bemused? It would be better to stick to my question rather than bring other things up... I would have asked if needed – Ryman Holmes Mar 24 '14 at 20:21
  • I dont understand.. whats wrong with using `quote` it prevents SQL injection safe and sound – Ryman Holmes Mar 24 '14 at 20:25
  • 2
    no it dosent, thats whats wrong with it –  Mar 24 '14 at 20:26
  • @Dagon Thanks... finally someone who can get to the point without beating around the bush – Ryman Holmes Mar 24 '14 at 20:27
  • ... that's what we all.. nevermind. – Casey Dwayne Mar 24 '14 at 20:27
  • I'm wondering how can i do the same but the OPPOSITE way - Insert a quote in a unquoted variable... – Raul Chiarella Apr 20 '22 at 00:19

3 Answers3

2

There isn't necessarily a direct inverse of the quote function (assuming PDO::quote here). It surrounds the value by quotes and escapes special characters inside the string to form a valid SQL string literal according to the underlying driver of the database. And that may vary a bit from database to database and the specifics of your connection. You should also never need to unquote a string, because you're not supposed to use the quoted string in any other place but an SQL query:

sprintf('SELECT ... WHERE foo = %s', $pdo->quote($value))

There's no reason whatsoever to quote the value, and then unquote it again to use it anywhere else but an SQL query. Just use the original $value instead of the quoted value. And of course, you should be using prepared statements with bound parameters instead of manual quoting to begin with, so you should hardly have any reason to touch this function ever.

Having said that, this should cover most cases, though is far from guaranteed to always produce the correct result:

$unquoted = stripslashes(substr($quoted, 1, -1));
deceze
  • 510,633
  • 85
  • 743
  • 889
1

What's wrong with something like this?

filter_var($_POST['email'], FILTER_SANITIZE_EMAIL)

Your question worries me. Please read up on PDO, bind your parameters, and rest easier at night. The road you seem to be traveling down is one of security risks, and will likely not end well.

Side note: I like to sanitize both client side and server side, and bind parameters appropriately. Maybe I'm paranoid, but an ounce of prevention is worth a pound of cures IMO.

Well since you don't seem to be interested in the right way

$email = str_replace('"','',$email);

Casey Dwayne
  • 2,142
  • 1
  • 17
  • 32
0

Sometimes you just want to remove quotation marks from the beginning and end of a string, and restore characters escaped with "\" in PHP. This is the intuitive meaning of "unquoting a string".

For example, the expression var_export($value,true) always single-quotes its result and escapes certain characters.

This expression will "unquote" such a string nicely: stripslashes(substr(substr($str,1),0,-1)).

David Spector
  • 1,520
  • 15
  • 21