I have no slashes in my DB data even though I escaped while inserting! What's wrong?

poisa

Im using mysql_real_escape_string() to add slashes before I insert data into my MySQL database. The data gets escaped correctly (I even check this with a couple of echo statements before and after the escaping function.

On another page, when I retrieve the info from the DB the slashes are gone. Basically what I have right now, is a fully working site without a single strpslashes() call and plenty of mysql_real_escape_string() calls.
I think that there might be something wrong. What could it be?

I tried these scripts in two servers:
PHP 4.3.2 with Zend Optimizer, and 4.3.4 without
MySQL versions 3.23.56, and 5.0.1-alpha

These settings on both servers:
magic_quotes_gpc Off

magic_quotes_runtime Off
magic_quotes_sybase Off

laserlight

On another page, when I retrieve the info from the DB the slashes are gone. Basically what I have right now, is a fully working site without a single strpslashes() call and plenty of mysql_real_escape_string() calls.
I think that there might be something wrong. What could it be?

Well, one way of looking at it is that the database server stripped the backslashes when parsing the query, much like PHP would strip the backslashes of escaped sequences in a string.

e.g.

$str = 'poisa\'s database';
echo $str;

Would output
poisa's database
not
poisa\'s database

So there is nothing wrong with the data.

poisa

Originally posted by laserlight
Well, one way of looking at it is that the database server stripped the backslashes when parsing the query, much like PHP would strip the backslashes of escaped sequences in a string.

So what you are saying is that the data inside the db is actually not escaped?

Until I quoted your message I though you were crazy. The slashes you included in your post didn't come out! Once I quoted your message I understood what you were talking about.

So, if I use addslashes() I would have to use stripslashes() to get the original data back, as opposed to mysql_real_escape_string() where the slashes never really get to the db? Is that it?

laserlight

So what you are saying is that the data inside the db is actually not escaped?

Yes, but it shouldnt matter since the effects of SQL injection occur at the point where the query is processed, not after the data is stored.
The effect of malicious code injection occur after the data is retrieved, when it is output to the user, evaluated by PHP etc.

The slashes you included in your post didn't come out!

I think it's the bug in the forum parser related to why regex expressions get messed up.

So, if I use addslashes() I would have to use stripslashes() to get the original data back, as opposed to mysql_real_escape_string() where the slashes never really get to the db? Is that it?

No, the effect is the same.
Well, at least for mysql, in another RDMS you might have to say, double the single quotes to escape them instead.

poisa

Cool. Thanks for sheding some light on the matter...