[thelist] Slashes Problem
Andrew Clover
and-evolt at doxdesk.com
Mon Sep 15 17:02:48 CDT 2008
Daniel Padolsky wrote:
> I also notice that everytime it goes back and forth between pages
> a slash is added
You're handling it in a slightly backwards way by trying to do
MySQL-escaping and magic-quotes-de-escaping in one step. The
MySQL-escaped version of a string is a different thing to the
URL-escaped or HTML-escaped versions, which you might be using to pass a
value to the script. In particular, a backslash is nothing special to
URL or HTML encoding, why may be why you are getting them popping up
unexpectedly in your input.
Aim to keep all your application's text as bare, unescaped strings for
all internal purposes, only escaping them as they leave your script -
and make sure you use the right type of escaping on the way out because
they're all different. A SQL-escape or addslashes will do nothing to
prevent an HTML-injection attack.
So, if you need to stripslashes[1] to cope with magic_quotes, do it at
the start of the script. Now all your strings are perfectly normal,
easy-to-process text.
Then, later, when you output a text string into an SQL query[2] you
should pass it through mysql_[real]_escape_string on the way out. When
spitting text into an HTML page you must wrap the output in
htmlspecialchars to make sure characters like '<' and '&' are properly
escaped. When putting text into a URL query parameter, it'll need to be
urlencoded[3].
[1: I dunno if it's still worth working around the abomination that is
magic_quotes these days. Does anyone still use it? If so, they should be
hurt in the face.]
[2: Best not to be kludging together your own SQL queries out of strings
though, it's easy to forget to escape something and end up with a
security hole. Use a database access layer to avoid having to think
about it.]
[3: ...and possibly the whole URL will then need to be HTML-encoded, if
you're spitting it out into an attribute value.]
--
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
More information about the thelist
mailing list