Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
pnclthnmstsh
Regular
Regular


Joined: Oct 23, 2005
Posts: 54
Location: Portland, Or

PostPosted: Sun Sep 24, 2006 4:23 pm Reply with quote

There's a few mods out there that use stripslashes in sections that allow comments and such. I'm pretty much just learning how to write mods myself and have found that stripslashes won't let you use apostropies if the entry is going to a database entry. A good example is EDL...if you use an apostrophe in the description the entire entry won't be saved.

So, to offset this, I have been changing the stripslashes to eregi_replace to allow apostrophies in the entries. I am almost positive this is the wrong way to accomplish what I want. It works but I'm not sure if I've compromised any security.

Thanks for any input on these.

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website Yahoo Messenger
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Sep 24, 2006 7:53 pm Reply with quote

Do not use stripslashes.. it does not provide any security.

For database entry for apostreophes, use addslashes

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
spottedhog
Regular
Regular


Joined: Jun 02, 2004
Posts: 88

PostPosted: Sun Sep 24, 2006 7:58 pm Reply with quote

Look at the topic about Filtering.... Earlier I posted some code for an Input Filtering system, which is basically what you are needing. This system covers what you are asking.

Database inputs should be filtered and escaped. "Escaped" means that certain characters need to have a backslash added in front of them before being stored in a database.

Changing stripslashes to eregi_replace is one big no-no..... and is really comparing apples to oranges. Those functions have 2 entirely different purposes and uses.

Go to php.net and read about the following:

addslashes
stripslashes
magic_quotes_gpc
mysql_real_escape_string
 
View user's profile Send private message Visit poster's website
pnclthnmstsh
PostPosted: Sun Sep 24, 2006 8:00 pm Reply with quote

Good to know. Thank you Evaders.

The reason I replaced stripslashes tho is because I couldn't find a combination of commands to not have to use a backslash or double apostrophies. So I commented out the stripslashes line and added eregi_replace("/'","" etc etc to get the backslashes in there.

Thanks for the info hog. I'll check out your post.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©