Malice from metadata?

dstonek

exif_read_data extracts some metadata info from digital images.
As this data can be manipulated, is it safe to store the data directly into mysql databases?
I think that, just in case, I'll need to use get_magic_quotes_gpc() and addslashes(), like the data that comes from html forms.
Thanks

sneakyimp

If i'm not mistaken, magic quotes only apply to Get, Cookie, and Post. If you are reading data from a digital image, magic quotes would not apply there. Meta data in an image could easily contain quotes or other malicious bits.

You should ALWAYS escape user input of any kind before inserting data into a database. Also, [man]addslashes[/man] isn't completely safe for this purpose because their might be other characters not handled by addslashes that are still considered a quote mark by addslashes. A backquote or other UTF-8 character, for example (`). Instead of addslashes, you should use the escape function provided by any database connection technology. MySQL offers [man]mysql_real_escape_string[/man] for instance. PostGreSQL has [man]pg_escape_string[/man].

dstonek

Thanks for your help.
From php.net contributers this would be a useful function

function preMYSQL($string,$mysql_connection_resource){
	$magic_quotes_active = get_magic_quotes_gpc();
	//undo any magic quote effects so mysql_real_escape_string can do the work
	if ($magic_quotes_active) $string = stripslashes($string);
	$new_string = mysql_real_escape_string($string, $mysql_connection_resource);
	if (empty($new_string) && !empty($string)) die("mysql_real_escape_string failed."); //insert your error handling here
	$string = $new_string;
	return $string;
}