473,320 Members | 1,794 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Addslashes / Stripslashes

hey all,

I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure what it was before).

Anyway i mention that cause i had a script that uploaded the content of
an image to a DB, then displayed it straight from the DB using gdlib.
Before i store the content of the image i did an addslashes() and
before i displayed it i did a stripslashes().

Now my opinion of those functions is that they are designed to prevent
injection attacks by deliminting commonly used sql escapes. Seeing as
how its not too hard to write a sql script and save it as a .jpg i
wanted to make sure i prevented this.

Well im still doing both functions but it doesnt seem to be working
anymore since the upgrade. Specifically the number of bytes passed into
the addslashes() doesnt match the number of bytes returned from the
stripslashes(). The variable after the strip is signifigantly smaller.

Does anyone know what could be causing this, and if there is some sort
of defect with this version of PHP?

My impression is that its stripping out slashes it doesnt need to be,
and seeing as how the binary content of an image file is pretty strange
its possible slashes could be in there as valid characters.

May 15 '06 #1
4 2858
Areric wrote:
hey all,

I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure what it was before).

Anyway i mention that cause i had a script that uploaded the content of
an image to a DB, then displayed it straight from the DB using gdlib.
Before i store the content of the image i did an addslashes() and
before i displayed it i did a stripslashes().

Now my opinion of those functions is that they are designed to prevent
injection attacks by deliminting commonly used sql escapes. Seeing as
how its not too hard to write a sql script and save it as a .jpg i
wanted to make sure i prevented this.
Chances are that the hostingcompany changed php.ini too.
Just check for magic_quotes, you can also access the value using
getmagicquotesgpc() or something named similar to that.

If you don't like the changes, just modify your script so it does handle the
different settings in php.ini always right.


Well im still doing both functions but it doesnt seem to be working
anymore since the upgrade. Specifically the number of bytes passed into
the addslashes() doesnt match the number of bytes returned from the
stripslashes(). The variable after the strip is signifigantly smaller.
probably the removed slashes...

Does anyone know what could be causing this, and if there is some sort
of defect with this version of PHP?
No, just read the manual on magic_quotes.
www.php.net

My impression is that its stripping out slashes it doesnt need to be,
and seeing as how the binary content of an image file is pretty strange
its possible slashes could be in there as valid characters.


I have no idea, I never study binary representations of images.

Regards,
Erwin MOller
May 15 '06 #2
Areric wrote:
hey all,

I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure what it was before).

Anyway i mention that cause i had a script that uploaded the content of
an image to a DB, then displayed it straight from the DB using gdlib.
Before i store the content of the image i did an addslashes() and
before i displayed it i did a stripslashes().

Now my opinion of those functions is that they are designed to prevent
injection attacks by deliminting commonly used sql escapes. Seeing as
how its not too hard to write a sql script and save it as a .jpg i
wanted to make sure i prevented this.

Well im still doing both functions but it doesnt seem to be working
anymore since the upgrade. Specifically the number of bytes passed into
the addslashes() doesnt match the number of bytes returned from the
stripslashes(). The variable after the strip is signifigantly smaller.

Does anyone know what could be causing this, and if there is some sort
of defect with this version of PHP?

My impression is that its stripping out slashes it doesnt need to be,
and seeing as how the binary content of an image file is pretty strange
its possible slashes could be in there as valid characters.


You shouldn't be using addslashes before putting it to the database. You should
use mysql_escape_string() (or, for later versions of MySQL, the more preferable
mysql_real_escape_string() ) instead.

Then you don't need to call stripslashes() afterwards.

And the change may be that they set magic_quotes_gpc to off, either by a change
in the default or by changing the php.ini file.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
May 15 '06 #3
Thanks guys. If anything your giving me options to prove it was a
config change and that im not completley crazy (although i suppose that
has yet to be proven).

As for mysql_escape_string is that a mysql function or php. hmm i
suppose i could look it up, nm.

Ill check in to that.

May 15 '06 #4
Areric wrote:
Thanks guys. If anything your giving me options to prove it was a
config change and that im not completley crazy (although i suppose that
has yet to be proven).

As for mysql_escape_string is that a mysql function or php. hmm i
suppose i could look it up, nm.

Ill check in to that.


Areric,

It's a MySQL function to format strings to be able to place them into a MySQL
database. If you're running a fairly recent release of MySQL (I don't remember
exactly when it became available), mysql_real_escape_string() is preferable
because it takes into account the current character set being used by MySQL.

When working with a database, it's almost always better to use database
functions such as this vs. generic PHP functions.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
May 15 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Joe Randstein | last post by:
Hi! I now use the DB classes from PEAR with mysql. Do I still have to use addslashes? I ask, because I get some very strange results, I get slashes in front of every " and they get saved in my...
1
by: leegold2 | last post by:
When I look directly in my db field I see a difference between these two functions. The top line (seebelow) was inserted with addslashes vs. the bottom line where I used mysql_real_escape_string....
0
by: Bob Bedford | last post by:
I've to put datas from user's input in a database. I've taken a function from internet (don't remember where) formatting most of the values: function GetSQLValueString($theValue, $theType,...
4
by: Jan Pieter Kunst | last post by:
Q. How do I use addslashes() and stripslashes() when dealing with HTML forms and database INSERTs, UPDATEs and SELECTs? A. It depends on the setting of the php.ini directive "magic_quotes_gpc"....
2
by: Marcus | last post by:
Hello, My php.ini file currently has magic quotes set to On, but I have read that it is better to code with it off. Currently with magic quotes on, I only use stripslashes() to properly...
2
by: Cruella DeVille | last post by:
I must have som errors in my understanding of strip- vs addslashes. I thought that if a user submitted eg a username, like this username=siv' drop database test; I should addslashes to escape ' and...
5
by: lawrence k | last post by:
This seems so simple, I can't believe its tripping me up. I've a database class with a query method that looks like this: function query($query=false) { global $controller; // $query =...
5
by: Gilles Ganault | last post by:
Hello As the user may type strings that contain verboten characters like apostrophes, I need to go through the $_POST array, and use addslashes() on each and every item But it doesn't make...
13
by: ndlarsen | last post by:
Hello. It's been a while since I used php. Since then magic quotes has been deprecated and will be removed when php 6.0 hits. My question is, what should I be using when submitting data to a...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.