0

When returning text after PDO queries, I am getting a slash in front of my apostrophes and such but I am on wordpress and not able to edit the php.ini to remove magic_quotes etc. So I was hoping there was a function that can escape special characters. I tried addslashes(), but you can see the negative results below. Any programmatic approaches or functions or methods I can use to fix this?

//as is...

Hey..i\’m getting a slash in front of my apostrophe


//after adding addslashes()

Hey..i\\\’m getting too many slashes now!
user2864740
  • 60,010
  • 15
  • 145
  • 220
jaw
  • 153
  • 6
  • Don't use addslashes. It is *never* okay for SQL. Instead, *remove slashes* and [*use prepared statements*](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?lq=1). It is unfortunate the terrible magic_quotes cannot be disabled. – user2864740 Aug 07 '14 at 01:30
  • I am using PDO prepared insert. is there something I can add to that? – jaw Aug 07 '14 at 01:31
  • Good, don't call addslashes! Prepared statements do *not* need "escaping hacks". The problem is now that magic_quotes is still incorrectly adding slashes: fix the configuration or manually *remove* the slashes. – user2864740 Aug 07 '14 at 01:32
  • 1
    http://php.net/manual/en/function.stripslashes.php – Dave S Aug 07 '14 at 01:33
  • My question is how to remove the slashes given that I am using PDO statements though. I'm kind of stuck... – jaw Aug 07 '14 at 01:33
  • @jaw: why do they appear there at first place. "after adding addslashes()" --- just don't run it. – zerkms Aug 07 '14 at 01:34
  • 1
    @jaw `$message = stripslashes($_POST['message']);` (keeping in mind this is a hack to undo magic_quotes) – user2864740 Aug 07 '14 at 01:34
  • @zerkms "I am on wordpress and not able to edit the php.ini to remove magic_quotes" :( – user2864740 Aug 07 '14 at 01:34
  • @user2864740: what this line means then "after adding addslashes()"? – zerkms Aug 07 '14 at 01:34
  • @zerkms The OP appears to be calling addslashes on the already mangled input, given the posted text. – user2864740 Aug 07 '14 at 01:35
  • @Dave S. That's what I was looking for. Perfect. Now I am assuming someone will tell me don't use stripslashes as it is not secure at all, despite the sql statements that were used to get this were PDO/prepared. Is that so? And if so, is there a more secure recommended method? – jaw Aug 07 '14 at 01:36
  • As long as you are sanitizing your input to prevent sql injections you can use stripslashes – Dave S Aug 07 '14 at 01:37
  • well, my sql select statement is PDO with binding parameters. One of those paramaters is text. When I go to display it, I am now using stripslashes($resulting[text]). So am I safe? – jaw Aug 07 '14 at 01:39
  • I am not familiar with PDO but in general would be safer to strip the slashes before displaying it to the user after getting it from the database than striping the slashes before putting it in there in the first place. – Dave S Aug 07 '14 at 01:40
  • I figured as much. Dang it. Well, my question then becomes how do I do that? Maybe best answered by a PDO expert I guess.. – jaw Aug 07 '14 at 01:41
  • there are other things you can use to sanitize input like http://php.net/manual/en/function.filter-input.php – Dave S Aug 07 '14 at 01:42
  • http://forums.phpfreaks.com/topic/266390-pdo-and-escaping-data/ It seems they are automatically escaped before running the query, you should try some test cases and see if it is escaped in the database but comes out clean. – Dave S Aug 07 '14 at 01:45
  • Well, the binding param looks like this: $stmt->bindParam(':text', $_POST['contributetext'], PDO::PARAM_STR); and from what I read that you sent I should consider mixed filter_input ( int $type , string $variable_name [, int $filter = FILTER_SANITIZE_MAGIC_QUOTES] ) But how would I combing the two into the PDO param without syntax errors? – jaw Aug 07 '14 at 01:48
  • first run filter_input on $_POST['contributetext'] and save it as a variable, then send that variable into the bindParam function. – Dave S Aug 07 '14 at 01:51
  • @Dave S. Thanks. Will try that. read your article on phpfreaks. It says "Prepared statements automatically escape. That's one of their key features." But alas, it doesn't help when it comes to displaying my text on the page as you know... – jaw Aug 07 '14 at 01:53
  • If you use prepared statements to retrieve the data, it might also automatically unescape, then the reason you are seeing slashes is because the magic quotes is also on. But I am not sure, the best way to know is to look at the rows inside the database, and see if it is escaped are not, if it's escaped inside the database but not when you display it, then you are fine. – Dave S Aug 07 '14 at 01:56
  • In the database I see same thing "hey, i\'m gonna add this". So I tried this but getting syntax errors: mixed filter_input ( int $type , string $_POST['contributetext'] [, int $filter = FILTER_SANITIZE_MAGIC_QUOTES] ); – jaw Aug 07 '14 at 01:59
  • filter_input( INPUT_POST, 'contributetext', FILTER_SANITIZE_MAGIC_QUOTES); – Dave S Aug 07 '14 at 02:07
  • Hmm. Well, no errors, but the page still returns "hey, i\'m gonna..." $formtext = $_POST['$contributetext']; filter_input( INPUT_POST, 'contributetext', FILTER_SANITIZE_MAGIC_QUOTES); – jaw Aug 07 '14 at 02:08
  • Yea because FILTER_SANITIZE_MAGIC_QUOTES is essentially applying magic quotes, not removing them. Really though, you need to find the page that displays your escaped text then just strip slashes. Best solution. If you can't do that you need to get more php experience under your belt before you get yourself into trouble. – Dave S Aug 07 '14 at 02:09
  • Ok. I'll stick with the strip slashes which works since I'm stuck with magic quotes on. I know I could use more php experience, but I'm not sure any expert on this site can do any better with my situation that what we just ended up with...stripslashes() and hope it is secure after the PDO sql – jaw Aug 07 '14 at 02:12
  • No no no no, After you get it from the database not before. You are seeing it with slashes somewhere, there is a place in the code that displays it. You need to modify that, after it comes out. – Dave S Aug 07 '14 at 02:13
  • So it's ok to keep my stripslashes() after it comes out from the database like i had it? As in: echo stripslashes($resulting[text]) – jaw Aug 07 '14 at 02:17
  • yes, you escape the text to prevent changes to your database, say if someone put in a sql query as text, it could run on your database. After it comes out from your database and you want to display it to the user, you can use strip_slashes to remove the slashes. Sometimes you want to use htmlspecialchars() to prevent the user from typing in input that can change the html of the page. https://econsultancy.com/blog/2663-web-app-security-basics-filtering-input-and-escaping-output – Dave S Aug 07 '14 at 02:19

0 Answers0