Difference between revisions of "StripSlashes"

From GeeklogWiki
Jump to: navigation, search
 
Line 1: Line 1:
 +
When writing a SQL statement, one must be aware that the ' character is the string delimiter.
 +
 +
A common form of attack on websites is called a SQL Injection. In the case of a SQL Injection, the attacker is hoping that a naive programmer has not thought to deal with malicious entry in forms. For example, imagine you need to run the following SQL to check a login:
 +
 +
SELECT uid FROM gl_users WHERE username='someusername' AND password='somepassword'
 +
 +
Suppose you just took the input from a form and did nothing:
 +
 +
$sql = "SELECT uid FROM gl_users WHERE username='$username' AND password='$password'
 +
 +
A malicious user could enter "someusername" for the username, but enter "' OR '' = '" for the password, resulting in the following SQL being executed:
 +
 +
SELECT uid FROM gl_users WHERE username='someusername' AND password='' OR '' = ''
 +
 +
This will result in the user being logged in.
 +
 +
This is is such a common problem that "Magic Quotes GPC was enabled.
 +
 +
Slashes are also automatically added to the contents of a GET, POST or COOKIE value if the Magic Quotes GPC flag is set to true on your PHP instance. For example, if you submit a form with the example above, the result would be:
 +
 +
SELECT uid FROM gl_users WHERE username='someusername' AND password='\' OR \'\' = \''
 +
 +
Which would result in a failed login.
 +
 +
Magic Quotes GPC becomes a problem when it comes to well coded applications, as any sensible developer will have called addslashes to escape the values prior to using them in SQL, and will use stripslashes on retrieving data from the database to put it back how it was.
 +
 
stripslashes is a common PHP function used to remove the backslash character from a string. It's companion is addslashes.
 
stripslashes is a common PHP function used to remove the backslash character from a string. It's companion is addslashes.
  
Line 8: Line 34:
  
 
''Geeklog\'s API functions are rich and varied.''
 
''Geeklog\'s API functions are rich and varied.''
 
Slashes are also automatically added to the contents of a GET, POST or COOKIE value if the Magic Quotes GPC flag is set to true on your PHP instance. For example, if you submit a form with the first example above, when you examine the contents of that field server side you will get the second string despite not having done an addslashes in your code. But, '''only if Magic Quotes GPC is enabled on that server'''.
 
 
Now, when saving text into the database we use SQL, the ' character delimits a string within a SQL, so we '''must''' addslashes to a variable (that has not already had an addslashes) before using it in a SQL string. This will mean that if we retrieve a value from the database we're going to need to do a stripslashes to get it back to normal.
 
  
 
Geeklog has a lot of code. It handles a lot of form posts and database save and load commands. The values fetched from the POST/GET/COOKIE arrays or from the database are passed in and out of numerous functions. Some of these expect non-escaped strings. Others expect escaped strings.
 
Geeklog has a lot of code. It handles a lot of form posts and database save and load commands. The values fetched from the POST/GET/COOKIE arrays or from the database are passed in and out of numerous functions. Some of these expect non-escaped strings. Others expect escaped strings.
Line 19: Line 41:
 
It's also important to note that Geeklog has a function COM_stripslashes that calls stripslashes on the suppied variable if and only if Magic Quotes GPC is enabled.
 
It's also important to note that Geeklog has a function COM_stripslashes that calls stripslashes on the suppied variable if and only if Magic Quotes GPC is enabled.
  
I suggest the following guidelines for using these functions:
+
Now, when doing code in geeklog, the following rules should probably be followed:
 
 
## On loading from $_GET, $_POST or $_COOKIE call COM_StripSlashes immediately. This will only do a stripslashes if the Magic Quotes GPC flag is set in the PHP instance. Do
 
  
 +
  1. When your code is to deal with a value from $_GET, $_POST or $_COOKIE immediately load it into an internal variable after calling COM_stripSlashes, this will deal correctly with the value whether or not Magic Quotes GPC is on or off.
 +
  2. Immediately before using a value in SQL, addslashes to it.
 +
  3. Immediately after loading a value from SQL, stripslashes on it.
  
'''work in progress, got called away, sorry'''
+
There should never be another need to call addslashes or stripslashes.

Revision as of 20:10, 11 January 2007

When writing a SQL statement, one must be aware that the ' character is the string delimiter.

A common form of attack on websites is called a SQL Injection. In the case of a SQL Injection, the attacker is hoping that a naive programmer has not thought to deal with malicious entry in forms. For example, imagine you need to run the following SQL to check a login:

SELECT uid FROM gl_users WHERE username='someusername' AND password='somepassword'

Suppose you just took the input from a form and did nothing:

$sql = "SELECT uid FROM gl_users WHERE username='$username' AND password='$password'

A malicious user could enter "someusername" for the username, but enter "' OR = '" for the password, resulting in the following SQL being executed:

SELECT uid FROM gl_users WHERE username='someusername' AND password= OR =

This will result in the user being logged in.

This is is such a common problem that "Magic Quotes GPC was enabled.

Slashes are also automatically added to the contents of a GET, POST or COOKIE value if the Magic Quotes GPC flag is set to true on your PHP instance. For example, if you submit a form with the example above, the result would be:

SELECT uid FROM gl_users WHERE username='someusername' AND password='\' OR \'\' = \

Which would result in a failed login.

Magic Quotes GPC becomes a problem when it comes to well coded applications, as any sensible developer will have called addslashes to escape the values prior to using them in SQL, and will use stripslashes on retrieving data from the database to put it back how it was.

stripslashes is a common PHP function used to remove the backslash character from a string. It's companion is addslashes.

addslashes adds slashes to a variable. It does this to escape quotes. So for example if you have a string:

Geeklog's API functions are rich and varied.

After a call to addslashes you will have

Geeklog\'s API functions are rich and varied.

Geeklog has a lot of code. It handles a lot of form posts and database save and load commands. The values fetched from the POST/GET/COOKIE arrays or from the database are passed in and out of numerous functions. Some of these expect non-escaped strings. Others expect escaped strings.

It currently appears to be a common source of bugs that addslashes and stripslashes are called needlessly.

It's also important to note that Geeklog has a function COM_stripslashes that calls stripslashes on the suppied variable if and only if Magic Quotes GPC is enabled.

Now, when doing code in geeklog, the following rules should probably be followed: 

 1. When your code is to deal with a value from $_GET, $_POST or $_COOKIE immediately load it into an internal variable after calling COM_stripSlashes, this will deal correctly with the value whether or not Magic Quotes GPC is on or off.
 2. Immediately before using a value in SQL, addslashes to it.
 3. Immediately after loading a value from SQL, stripslashes on it.

There should never be another need to call addslashes or stripslashes.

Retrieved from "http://wiki.geeklog.net/index.php?title=StripSlashes&oldid=4153"