hey all,
I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure what it was before).
Anyway i mention that cause i had a script that uploaded the content of
an image to a DB, then displayed it straight from the DB using gdlib.
Before i store the content of the image i did an addslashes() and
before i displayed it i did a stripslashes().
Now my opinion of those functions is that they are designed to prevent
injection attacks by deliminting commonly used sql escapes. Seeing as
how its not too hard to write a sql script and save it as a .jpg i
wanted to make sure i prevented this.
Well im still doing both functions but it doesnt seem to be working
anymore since the upgrade. Specifically the number of bytes passed into
the addslashes() doesnt match the number of bytes returned from the
stripslashes(). The variable after the strip is signifigantly smaller.
Does anyone know what could be causing this, and if there is some sort
of defect with this version of PHP?
My impression is that its stripping out slashes it doesnt need to be,
and seeing as how the binary content of an image file is pretty strange
its possible slashes could be in there as valid characters.
4  2876 
Areric wrote: hey all,
I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure what it was before).
Anyway i mention that cause i had a script that uploaded the content of
an image to a DB, then displayed it straight from the DB using gdlib.
Before i store the content of the image i did an addslashes() and
before i displayed it i did a stripslashes().
Now my opinion of those functions is that they are designed to prevent
injection attacks by deliminting commonly used sql escapes. Seeing as
how its not too hard to write a sql script and save it as a .jpg i
wanted to make sure i prevented this.
Chances are that the hostingcompany changed php.ini too.
Just check for magic_quotes, you can also access the value using
getmagicquotesg pc() or something named similar to that.
If you don't like the changes, just modify your script so it does handle the
different settings in php.ini always right.
Well im still doing both functions but it doesnt seem to be working
anymore since the upgrade. Specifically the number of bytes passed into
the addslashes() doesnt match the number of bytes returned from the
stripslashes(). The variable after the strip is signifigantly smaller.
probably the removed slashes...
Does anyone know what could be causing this, and if there is some sort
of defect with this version of PHP?
No, just read the manual on magic_quotes.
www.php.net
My impression is that its stripping out slashes it doesnt need to be,
and seeing as how the binary content of an image file is pretty strange
its possible slashes could be in there as valid characters.
I have no idea, I never study binary representations of images.
Regards,
Erwin MOller
Areric wrote: hey all,
I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure what it was before).
Anyway i mention that cause i had a script that uploaded the content of
an image to a DB, then displayed it straight from the DB using gdlib.
Before i store the content of the image i did an addslashes() and
before i displayed it i did a stripslashes().
Now my opinion of those functions is that they are designed to prevent
injection attacks by deliminting commonly used sql escapes. Seeing as
how its not too hard to write a sql script and save it as a .jpg i
wanted to make sure i prevented this.
Well im still doing both functions but it doesnt seem to be working
anymore since the upgrade. Specifically the number of bytes passed into
the addslashes() doesnt match the number of bytes returned from the
stripslashes(). The variable after the strip is signifigantly smaller.
Does anyone know what could be causing this, and if there is some sort
of defect with this version of PHP?
My impression is that its stripping out slashes it doesnt need to be,
and seeing as how the binary content of an image file is pretty strange
its possible slashes could be in there as valid characters.
You shouldn't be using addslashes before putting it to the database. You should
use mysql_escape_st ring() (or, for later versions of MySQL, the more preferable
mysql_real_esca pe_string() ) instead.
Then you don't need to call stripslashes() afterwards.
And the change may be that they set magic_quotes_gp c to off, either by a change
in the default or by changing the php.ini file.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Thanks guys. If anything your giving me options to prove it was a
config change and that im not completley crazy (although i suppose that
has yet to be proven).
As for mysql_escape_st ring is that a mysql function or php. hmm i
suppose i could look it up, nm.
Ill check in to that.
Areric wrote: Thanks guys. If anything your giving me options to prove it was a
config change and that im not completley crazy (although i suppose that
has yet to be proven).
As for mysql_escape_st ring is that a mysql function or php. hmm i
suppose i could look it up, nm.
Ill check in to that.
Areric,
It's a MySQL function to format strings to be able to place them into a MySQL
database. If you're running a fairly recent release of MySQL (I don't remember
exactly when it became available), mysql_real_esca pe_string() is preferable
because it takes into account the current character set being used by MySQL.
When working with a database, it's almost always better to use database
functions such as this vs. generic PHP functions.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== === This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Joe Randstein |
last post by:
Hi!
I now use the DB classes from PEAR with mysql. Do I still have to use
addslashes?
I ask, because I get some very strange results, I get slashes in front
of every " and they get saved in my database :-(
Now my hoster has turned magic_quotes_gpc on anyway. As a workaround:
On a PHP-environment where magic_quotes_gpc is turned on, can I do
stripslashes on every request-data without danger?
|
by: leegold2 |
last post by:
When I look directly in my db field I see a difference between these two
functions. The top line (seebelow) was inserted with addslashes vs. the
bottom line where I used mysql_real_escape_string. Obviously addslashes
really escapes the apostrophe. But I thought mysql_real_escape_string is
supposed to do that too - can anyone explain? Thanks, Lee G.
This is Aviva\'s website.
This is Sarah's website.
|
by: Bob Bedford |
last post by:
I've to put datas from user's input in a database.
I've taken a function from internet (don't remember where) formatting most
of the values:
function GetSQLValueString($theValue, $theType, $theDefinedValue = "",
$theNotDefinedValue = "") {
$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
|
by: Jan Pieter Kunst |
last post by:
Q. How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?
A. It depends on the setting of the php.ini directive
"magic_quotes_gpc". By default, magic_quotes_gpc is On.
If magic_quotes_gpc is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().
|
by: Marcus |
last post by:
Hello,
My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.
Currently with magic quotes on, I only use stripslashes() to properly
format strings that are displayed on the screen. I know that now with
magic quotes off, I will have to manually handle escaping special
characters with mysql_real_escape_string() or addslashes().
| | |
by: Cruella DeVille |
last post by:
I must have som errors in my understanding of strip- vs addslashes.
I thought that if a user submitted eg a username, like this
username=siv' drop database test; I should addslashes to escape ' and "
and therefore prohibit the evil user to drop/change my database through
sql injection (my example may not be correct, but I believe it points
out that evil user can add sql commands through an input field.
But - I've been reading lots of...
|
by: lawrence k |
last post by:
This seems so simple, I can't believe its tripping me up. I've a
database class with a query method that looks like this:
function query($query=false) {
global $controller;
// $query = stripslashes($query);
// $query = addslashes($query);
$result = mysql_query($query);
|
by: Gilles Ganault |
last post by:
Hello
As the user may type strings that contain verboten characters like
apostrophes, I need to go through the $_POST array, and use
addslashes() on each and every item
But it doesn't make any difference:
==========
<?php
|
by: ndlarsen |
last post by:
Hello.
It's been a while since I used php. Since then magic quotes has been
deprecated and will be removed when php 6.0 hits. My question is, what
should I be using when submitting data to a database instead? Which is
better for security reasons, addslashes() or mygql_real_escape_string()?
Thanks you.
Regards
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
