[thelist] Slashes Problem

Andrew Clover and-evolt at doxdesk.com
Mon Sep 15 17:02:48 CDT 2008


Daniel Padolsky wrote:

> I also notice that everytime it goes back and forth between pages
> a slash is added

You're handling it in a slightly backwards way by trying to do 
MySQL-escaping and magic-quotes-de-escaping in one step. The 
MySQL-escaped version of a string is a different thing to the 
URL-escaped or HTML-escaped versions, which you might be using to pass a 
value to the script. In particular, a backslash is nothing special to 
URL or HTML encoding, why may be why you are getting them popping up 
unexpectedly in your input.

Aim to keep all your application's text as bare, unescaped strings for 
all internal purposes, only escaping them as they leave your script - 
and make sure you use the right type of escaping on the way out because 
they're all different. A SQL-escape or addslashes will do nothing to 
prevent an HTML-injection attack.

So, if you need to stripslashes[1] to cope with magic_quotes, do it at 
the start of the script. Now all your strings are perfectly normal, 
easy-to-process text.

Then, later, when you output a text string into an SQL query[2] you 
should pass it through mysql_[real]_escape_string on the way out. When 
spitting text into an HTML page you must wrap the output in 
htmlspecialchars to make sure characters like '<' and '&' are properly 
escaped. When putting text into a URL query parameter, it'll need to be 
urlencoded[3].


[1: I dunno if it's still worth working around the abomination that is 
magic_quotes these days. Does anyone still use it? If so, they should be 
hurt in the face.]

[2: Best not to be kludging together your own SQL queries out of strings 
though, it's easy to forget to escape something and end up with a 
security hole. Use a database access layer to avoid having to think 
about it.]

[3: ...and possibly the whole URL will then need to be HTML-encoded, if 
you're spitting it out into an attribute value.]

-- 
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/



More information about the thelist mailing list