addslashes

Is PHP's addslashes vulnerable to sql injection attack? [duplicate]

你。 提交于 2019-11-29 10:59:15
Possible Duplicate: What does mysql_real_escape_string() do that addslashes() doesn't? I have been reviewing articles on how/why PHP's addslashes function is vulnerable to sql injection. Everything I have read says there are problems with specific mysql encoding types (default-character-set=GBK), or there are problems if magic_quotes are enabled. However, I have been unable break out of the addslashes() function in this scenario and do something malicious - such as login as an administrator. $user = addslashes($_POST['user']); $pass = sha1($_POST['pass']); $sql = "SELECT * FROM admins WHERE

how to prevent database to add slash to quotes

六眼飞鱼酱① 提交于 2019-11-29 09:31:25
问题 i know this sounds really common and so trivial but , am having a challenge here. I have a web site with Zend/Doctrine and i use ckeditor for the backend management. after uploading the site i've realized that during edit testing the look and feel of the site is messed up. with the help of firebug, i've seen that there are slashes all over the html. after inline edition, the look and feel came back to normal. There are so many files , i can't think of doing other decoding before outputting

Htmlentities vs addslashes vs mysqli_real_escape_string

断了今生、忘了曾经 提交于 2019-11-29 07:02:16
I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being advised addslashes is better than htmlentities when echoing user-entered data back to users to protect their data, but it seems like addslashes is the one with the vulnerability. Is this true, or am I remembering incorrectly? There are different contexts for

php 防注入的一些总结

天涯浪子 提交于 2019-11-29 06:11:19
一、几个与特殊字符处理有关的PHP函数 函数名 释义 介绍 htmlspecialchars 将与、单双引号、大于和小于号化成HTML格式 &转成& "转成" ' 转成' <转成< >转成> htmlentities() 所有字符都转成HTML格式 除上面htmlspecialchars字符外,还包括双字节字符显示成编码等。 addslashes 单双引号、反斜线及NULL加上反斜线转义 被改的字符包括单引号 (')、双引号 (")、反斜线 backslash (\) 以及空字符NULL。 stripslashes 去掉反斜线字符 去掉字符串中的反斜线字符。若是连续二个反斜线,则去掉一个,留下一个。若只有一个反斜线,就直接去掉。 quotemeta 加入引用符号 将字符串中含有 . \\ + * ? [ ^ ] ( $ ) 等字符的前面加入反斜线 "\" 符号。 nl2br() 将换行字符转成<br> strip_tags 去掉HTML及PHP标记 去掉字符串中任何 HTML标记和PHP标记,包括标记封堵之间的内容。注意如果字符串HTML及PHP标签存在错误,也会返回错误。 mysql_real_escape_string 转义SQL字符串中的特殊字符 转义 \x00 \n \r 空格 \ ' " \x1a,针对多字节字符处理很有效。mysql_real_escape

What's the difference between PHP's addslashes and mysql(i)_escape_string? [duplicate]

不想你离开。 提交于 2019-11-29 02:31:33
Possible Duplicate: mysql_real_escape_string VS addslashes If they don't do exactly the same, what's the difference? The delimiter for values inside a MySQL query is the ' isn't it? Or maybe the " but that's also escaped with addslashes. In other database engines I understand (and definitely inside a db wrapper like PDO), but why are so many people so adament on using mysql(i)_escape_string instead of addslashes? Jon First of all: do not use mysql_escape_string , it is deprecated (for a reason)! If you have to support a legacy application that connects to the database through the mysql

How to escape string from PHP for javascript?

强颜欢笑 提交于 2019-11-28 10:59:43
lets imagine a form editor, it can edit available values. If the data contains " character (double quote) it "destroys" HTML code. I meant, lets check the code: so I generate HTML: onclick="var a = prompt('New value: ', '<?php echo addslashes($rec[$i]); ?>'); if (a != null).... and it results in onclick="var a = prompt('New value: ', 'aaaa\"aaa'); if (a != null) { v.... and this makes JS work impossible, so that it ruins the code. With single qoute ' it works OK. mysql real escape does the same. How to escape any string so that it won't ruin javascript? json_encode looked OK, but I must be

Is PHP's addslashes vulnerable to sql injection attack? [duplicate]

。_饼干妹妹 提交于 2019-11-28 04:22:35
问题 This question already has answers here : Closed 7 years ago . Possible Duplicate: What does mysql_real_escape_string() do that addslashes() doesn't? I have been reviewing articles on how/why PHP's addslashes function is vulnerable to sql injection. Everything I have read says there are problems with specific mysql encoding types (default-character-set=GBK), or there are problems if magic_quotes are enabled. However, I have been unable break out of the addslashes() function in this scenario

Escape double quotes with variable inside HTML echo [duplicate]

假装没事ソ 提交于 2019-11-28 01:47:19
This question already has an answer here: Single and double quotes together as HTML attribute value? 2 answers For a variable inside a echo that contains HTML, where would I add slashes to escape the double quotes? Example: echo "<input type=\"hidden\" name=\"id\" value=".$row['id']." />"; This part: value=".$row['id']." Ja͢ck Some tips on outputting HTML with PHP: Use single quotes so that you don't have to escape the double quotes (when using echo), Use htmlspecialchars() to properly escape any "rogue" values you may have. Example using echo : echo '<input type="hidden" name="id" value="',

What's the difference between PHP's addslashes and mysql(i)_escape_string? [duplicate]

隐身守侯 提交于 2019-11-27 16:51:16
问题 Possible Duplicate: mysql_real_escape_string VS addslashes If they don't do exactly the same, what's the difference? The delimiter for values inside a MySQL query is the ' isn't it? Or maybe the " but that's also escaped with addslashes. In other database engines I understand (and definitely inside a db wrapper like PDO), but why are so many people so adament on using mysql(i)_escape_string instead of addslashes? 回答1: First of all: do not use mysql_escape_string , it is deprecated (for a

Escape double quotes with variable inside HTML echo [duplicate]

时光总嘲笑我的痴心妄想 提交于 2019-11-27 04:49:11
问题 This question already has an answer here: Single and double quotes together as HTML attribute value? 2 answers For a variable inside a echo that contains HTML, where would I add slashes to escape the double quotes? Example: echo "<input type=\"hidden\" name=\"id\" value=".$row['id']." />"; This part: value=".$row['id']." 回答1: Some tips on outputting HTML with PHP: Use single quotes so that you don't have to escape the double quotes (when using echo), Use htmlspecialchars() to properly escape