security question

earthaflame

I'm somewhat of a newbie, so forgive me if this is a stupid question, but I have begun to use mysql_real_escape_string() to prevent injection attempts. Now, and rightly so, when I echo the output backslashes are added before illegal characters such as ' and ".

My question is can I safely use stripslashes() to get a clean output of my variable. I shouldn't have to worry about mysql injection at this point, but are there any other securtiy worries? I have also begun using htmlspecialchars().

Only trusted users should be creating the data, but I figure better safe than sorry.

Thanks,

earthaflame.

laserlight

My question is can I safely use stripslashes() to get a clean output of my variable.

Not needed at all. More likely you would use things like [man]htmlspecialchars/man or [man]rawurlencode/man, if you use them at all.

earthaflame

htmlspecialchars has no effect, I'll give some more info.

Here is the data before mysql_real_escape_string()

This is a test of the textarea. some extra symbol's can't hurt".

After mysql_real_escape_string()

This is a test of the textarea. some extra symbol\'s can\'t hurt\".

htmlspecialchars() has no effect on the data, but I want it to look like

This is a test of the textarea. some extra symbol's can't hurt".

The data is from a textarea, which should be a description, I am assuming single quotes may be used, but other characters would most likely be typos or attacks.

laserlight

htmlspecialchars has no effect

It depends on what you want to do.

After mysql_real_escape_string()

No, do not test after applying mysql_real_escape_string(). Test after retrieving from the database. The data is not stored in the database in escaped form.

The data is from a textarea, which should be a description, I am assuming single quotes may be used, but other characters would most likely be typos or attacks.

That's why you use mysql_real_escape_string(). If possible, I suggest that you use prepared statements with the PDO extension instead, but unfortunately that is only possible on PHP5.

earthaflame

Ok, I escaped the string, inserted into the database and then I select from the database on another page, echo the data I want, I still have backslashes before quotes. The slashes ARE in my database. On the inital page, I esaped by using

$desc=mysql_real_escape_string($desc);

Then

mysql_query("INSERT INTO school (base, school, desc) VALUES ('$base', '$school', '$desc')";

should I instead

mysql_query("INSERT INTO school (base, school, desc) VALUES ('$base', '$school', mysql_real_escape_string($desc))";

I am only working with $desc until I have everything worked out.

laserlight

The slashes ARE in my database.

That means that magic_quotes_gpc is on. Set it to off in php.ini