SQL Injections and the stripslashes statement

[RavenDanes]

Hello,
I was wondering if anyone could enlighten me. After writing some simple PHP login script to test my own sql injections and see their inner workings, i came accross the 'stripslashes' statment, As far as i know its main function is to take appostrophies out of a string of text, (say the password typed into a password field) and makes sql injections very hard - i was wondering if anyone knew of a way to get arround this? Or any alternate sql injections.
Many thanks for any repplies. Raven

[scrptnnj]

I believe it's 'magic quotes' that is actually used to remove the apostrophes and prevent sqli, and that 'stripslashes' is usually used in conjunction with magic quotes.(stripslashes gets rid of backslashes)http://www.tizag.com/phpT/php-magic-quotes.php

I like to use the mysql_real_escape_string, rather than magic qoutes.http://www.w3schools.com/php/func_mysql_real_escape_string.asp

As far as getting around these, you might not need an apostrophe. You might be able use something simple like:

Code: Select all

or 1=1

I'm sure that there are other ways to get around them, but I cant think of any.
If you want to learn a little more here is something interestinghttp://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-inje

Random security tips:

-Encrypt your passwords

Code: Select all

$passwd = md5($_POST['passwd']);


-Validate Input(with PHP NOT javascript)
example: if the input is something like an id and it should be a number make sure it is

Code: Select all

if (is_numeric($id)){ }


Use multiple safeguards

Code: Select all

$username = $_POST['username'];
$passwd = $_POST['passwd'];
$username = mysql_real_escape_string($username);
$passwd = mysql_real_escape_string($passwd);
$passwd = md5($passwd);
if (strlen($username <= 10)) { }