Difference between revisions of "StripSlashes"

From GeeklogWiki
Jump to: navigation, search
m (Added category; cosmetics)
Line 3: Line 3:
 
A common form of attack on websites is called a SQL Injection. In the case of a SQL Injection, the attacker is hoping that a naive programmer has not thought to deal with malicious entry in forms. For example, imagine you need to run the following SQL to check a login:
 
A common form of attack on websites is called a SQL Injection. In the case of a SQL Injection, the attacker is hoping that a naive programmer has not thought to deal with malicious entry in forms. For example, imagine you need to run the following SQL to check a login:
  
SELECT uid FROM gl_users WHERE username='someusername' AND password='somepassword'
+
<pre>SELECT uid FROM gl_users WHERE username='someusername' AND password='somepassword'</pre>
  
 
Suppose you just took the input from a form and did nothing:
 
Suppose you just took the input from a form and did nothing:
  
$sql = "SELECT uid FROM gl_users WHERE username='$username' AND password='$password'
+
<pre>$sql = "SELECT uid FROM gl_users WHERE username='$username' AND password='$password'</pre>
  
A malicious user could enter "someusername" for the username, but enter "' OR '' = '" for the password, resulting in the following SQL being executed:
+
A malicious user could enter "someusername" for the username, but enter: <pre>' OR '' = '</pre> for the password, resulting in the following SQL being executed:
  
SELECT uid FROM gl_users WHERE username='someusername' AND password='' OR '' = ''
+
<pre>SELECT uid FROM gl_users WHERE username='someusername' AND password='' OR '' = ''</pre>
  
 
This will result in the user being logged in.
 
This will result in the user being logged in.
  
This is is such a common problem that "Magic Quotes GPC was enabled.
+
This is is such a common problem that the "Magic Quotes GPC" option was added.
  
 
Slashes are also automatically added to the contents of a GET, POST or COOKIE value if the Magic Quotes GPC flag is set to true on your PHP instance. For example, if you submit a form with the example above, the result would be:
 
Slashes are also automatically added to the contents of a GET, POST or COOKIE value if the Magic Quotes GPC flag is set to true on your PHP instance. For example, if you submit a form with the example above, the result would be:
  
SELECT uid FROM gl_users WHERE username='someusername' AND password='\' OR \'\' = \''
+
<pre>SELECT uid FROM gl_users WHERE username='someusername' AND password='\' OR \'\' = \''</pre>
  
 
Which would result in a failed login.
 
Which would result in a failed login.
Line 29: Line 29:
 
addslashes adds slashes to a variable. It does this to escape quotes. So for example if you have a string:
 
addslashes adds slashes to a variable. It does this to escape quotes. So for example if you have a string:
  
''Geeklog's API functions are rich and varied.''
+
<pre>Geeklog's API functions are rich and varied.</pre>
  
 
After a call to addslashes you will have
 
After a call to addslashes you will have
  
''Geeklog\'s API functions are rich and varied.''
+
<pre>Geeklog\'s API functions are rich and varied.</pre>
  
 
Geeklog has a lot of code. It handles a lot of form posts and database save and load commands. The values fetched from the POST/GET/COOKIE arrays or from the database are passed in and out of numerous functions. Some of these expect non-escaped strings. Others expect escaped strings.
 
Geeklog has a lot of code. It handles a lot of form posts and database save and load commands. The values fetched from the POST/GET/COOKIE arrays or from the database are passed in and out of numerous functions. Some of these expect non-escaped strings. Others expect escaped strings.
Line 39: Line 39:
 
It currently appears to be a common source of bugs that addslashes and stripslashes are called needlessly.
 
It currently appears to be a common source of bugs that addslashes and stripslashes are called needlessly.
  
It's also important to note that Geeklog has a function COM_stripslashes that calls stripslashes on the suppied variable if and only if Magic Quotes GPC is enabled.
+
It's also important to note that Geeklog has a function COM_stripslashes that calls stripslashes on the supplied variable if and only if Magic Quotes GPC is enabled.
  
 
Now, when doing code in geeklog, the following rules should probably be followed:
 
Now, when doing code in geeklog, the following rules should probably be followed:
  
  1. When your code is to deal with a value from $_GET, $_POST or $_COOKIE immediately load it into an internal variable after calling COM_stripSlashes, this will deal correctly with the value whether or not Magic Quotes GPC is on or off.
+
# When your code is to deal with a value from $_GET, $_POST or $_COOKIE immediately load it into an internal variable after calling COM_stripSlashes, this will deal correctly with the value whether or not Magic Quotes GPC is on or off.
  2. Immediately before using a value in SQL, addslashes to it.
+
# Immediately before using a value in SQL, addslashes to it.
  3. Immediately after loading a value from SQL, stripslashes on it.
+
# Immediately after loading a value from SQL, stripslashes on it.
  
 
There should never be another need to call addslashes or stripslashes.
 
There should never be another need to call addslashes or stripslashes.
 +
 +
 +
[[Category:Development]]

Revision as of 13:07, 7 March 2008

When writing a SQL statement, one must be aware that the ' character is the string delimiter.

A common form of attack on websites is called a SQL Injection. In the case of a SQL Injection, the attacker is hoping that a naive programmer has not thought to deal with malicious entry in forms. For example, imagine you need to run the following SQL to check a login:

SELECT uid FROM gl_users WHERE username='someusername' AND password='somepassword'

Suppose you just took the input from a form and did nothing:

$sql = "SELECT uid FROM gl_users WHERE username='$username' AND password='$password'
A malicious user could enter "someusername" for the username, but enter:
' OR '' = '
for the password, resulting in the following SQL being executed:
SELECT uid FROM gl_users WHERE username='someusername' AND password='' OR '' = ''

This will result in the user being logged in.

This is is such a common problem that the "Magic Quotes GPC" option was added.

Slashes are also automatically added to the contents of a GET, POST or COOKIE value if the Magic Quotes GPC flag is set to true on your PHP instance. For example, if you submit a form with the example above, the result would be:

SELECT uid FROM gl_users WHERE username='someusername' AND password='\' OR \'\' = \''

Which would result in a failed login.

Magic Quotes GPC becomes a problem when it comes to well coded applications, as any sensible developer will have called addslashes to escape the values prior to using them in SQL, and will use stripslashes on retrieving data from the database to put it back how it was.

stripslashes is a common PHP function used to remove the backslash character from a string. It's companion is addslashes.

addslashes adds slashes to a variable. It does this to escape quotes. So for example if you have a string:

Geeklog's API functions are rich and varied.

After a call to addslashes you will have

Geeklog\'s API functions are rich and varied.

Geeklog has a lot of code. It handles a lot of form posts and database save and load commands. The values fetched from the POST/GET/COOKIE arrays or from the database are passed in and out of numerous functions. Some of these expect non-escaped strings. Others expect escaped strings.

It currently appears to be a common source of bugs that addslashes and stripslashes are called needlessly.

It's also important to note that Geeklog has a function COM_stripslashes that calls stripslashes on the supplied variable if and only if Magic Quotes GPC is enabled.

Now, when doing code in geeklog, the following rules should probably be followed:

  1. When your code is to deal with a value from $_GET, $_POST or $_COOKIE immediately load it into an internal variable after calling COM_stripSlashes, this will deal correctly with the value whether or not Magic Quotes GPC is on or off.
  2. Immediately before using a value in SQL, addslashes to it.
  3. Immediately after loading a value from SQL, stripslashes on it.

There should never be another need to call addslashes or stripslashes.