Re: SQL injection and PHP/MYSQL

["Sverre H. Huseby" <shh () thathost com>]

[Brad Fults]

|   After using mysql_escape string to insert data into the database,
|   is there an equal combination of unescaping one should do when the
|   date is pulled from the database, or is a stripslashes() all that
|   is necessary?

You shouldn't need to do anything when fetching data from the
database.  The slashes are not part of what gets stored in the tables.

Slashes are not added for the database storage itself, but for the SQL
parser in front of it.  When you pass the following SQL string
constant

    'O\'Connor'

to the SQL parser, the parser will scan the string constant (between
the outermost single quotes) character by character and decide what to
do.  When it reaches the backslash, it thinks:

   "Lemme see... the user has passed an escape character.  That means
    I'm not gonna treat the following character as something special,
    but just as a plain character.  Aha!  The next character is a
    single quote!  If it wasn't for that backslash, I would have
    terminated the string right here, but now I know better.  The
    string continues."

The parser understands that what you actually want to store is the
following:

    O'Connor

and that's what is put in the table.  When you read it out, you will
get just that.  If you start to remove slashes, it will be all wrong:
Say that you tell the SQL parser to store

    'C:\\AUTOEXEC.BAT'

What is stored in the database, is

    C:\AUTOEXEC.BAT

If you use stripslashes after reading this value, you will end up with

    C:AUTOEXEC.BAT

which is probably not what you want.


Hope this helps a little bit.

Sverre.

PS: After reading the data from the database, you will probably do
    something with it.  Depending on what you want to do, you may need
    to add some slashes again, or do other metacharacter handling.
    E.g. htmlspecialchars if you want to include the data in a web
    page.

-- 
shh () thathost com
http://shh.thathost.com/