[prog] PHP script security

Jacinta Richardson jarich at perltraining.com.au
Tue Aug 19 16:48:53 EST 2003 

On Tue, 19 Aug 2003, Wolfgang Petzold wrote:

> By the way: Would the effect of using AddSlashes be void if I used it --by
> accident-- twice? (Like "Have I invoked AddSlashes yet? Hm, better if I
> call it now...")

It wouldn't be void, but it would screw up your data.  For example:

my $string = "This string shouldn't ever go near a db unslashed";

$string = addslashes($string);

print $string;	# prints "This string shouldn\'t ever go near a db
		#  	   unslashed";

$string = addslashes($string);

print $string;  # prints "This string shouldn\\\'t ever go near a db
		#	  unslashed";

Now if you insert that second one into a smart db, the db will strip off
one layer of slashes and store:

	"This string shouldn\'t ever go near a db unslashed"

within.  Which will then look weird next time you display it.

If you want to addslashes to something but you don't know if you've
already done it, it's safer (but sometimes bad) to do:

addslashes(stripslashes($string));

This will make the string db safe, avoid extra slashes turning up if you
accidently slash your data twice and will rarely corrupt your user's data.
I have to say "rarely" because if they user is trying to add an entry that
says something like the following:

	"When using many relational databases, it is important to ensure
	that the apostrophe is escaped before the data is put into the
	database.  This is required because otherwise the apostrophe
	accidently ends the query and will result in the query's failure
	or incomplete/corrupted data being added to the database.

	There are various ways to do this, but the most common way of
	escaping the apostrophe is to precede it with a backslash.  For
	example cat\'s.  Some databases require apostrophes to be
	escaped by proceding the apostrophe with another apostrophe.
	For example cat''s."

This data will get screwed up by removing slashes before adding them.

All  the best,

	Jacinta

> [1] I don't know any more where I got it from. It's a German one, and it's
>     signed "PHP-Dokumentationsgruppe" (PHP documentation group). Maybe I
>     got it directly from the PHP web site, but I can't tell right now.

www.php.net?

--
   ("`-''-/").___..--''"`-._          |  Jacinta Richardson         |
    `6_ 6  )   `-.  (     ).`-.__.`)  |  Perl Training Australia    |
    (_Y_.)'  ._   )  `._ `. ``-..-'   |      +613 9354 6001         |  
  _..`--'_..-_/  /--'_.' ,'           | contact at perltraining.com.au |
(il),-''  (li),'  ((!.-'              |   www.perltraining.com.au   |

More information about the Programming mailing list