02.09.2010, 13:35
stripslashes / database-escaping / addslashes are incorrectly implemented.
When to use addslashes: NEVER
When to use stripslashes: NOT, unless magic_quotes_gpc is turned on. In that case, use the following script to strip all quotes:
When to use database-escaping: ALWAYS, but don't forget to filter / check input first.
This fails completely:
And why would you run another stripslashes on the output from the DB?
Better code:
When to use addslashes: NEVER
When to use stripslashes: NOT, unless magic_quotes_gpc is turned on. In that case, use the following script to strip all quotes:
PHP Code:
function stripslashes_array($array){
return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
}
if(get_magic_quotes_gpc()){
$_COOKIE = stripslashes_array($_COOKIE);
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
$_REQUEST = stripslashes_array($_REQUEST);
}
When to use database-escaping: ALWAYS, but don't forget to filter / check input first.
This fails completely:
PHP Code:
$memo = stripslashes($_POST['memo']);
$db->query("UPDATE users SET memo='$memo' where id=".$user['id']);
Better code:
PHP Code:
function getPost($name){
return isset($_POST[$name]) && is_string($_POST[$name]) ? return $_POST[$name] : '';
}
$memo = getPost('memo');
$db->query(sprintf('UPDATE users SET memo="%s" WHERE id=%d', $memo, $user['id']));