Location: Brighton, UK
Rank: Uber Elite
|for those of you that may use addslashes() in php to sanatize user input before being entered into the database... i may have some interesting news for you.|
many use addslashes to make sure values can be added safely into a database.
some of you may not be aware that addslashes isnt "secure". many developers prefer mysql_escape_string() isntead as this is a much more effective and secure way of sanatizing data.
the other day a couple of our clients had problems saving information. this was due to them using an old system that used addslashes() to enter information itno the database.
I know that upside down question marks escape addslashes() but was unaware of other charachters that may do so.
We discovered that some charachters produced by microsoft word 2008 actually escaped addslashes aswell. One of the charachters was the comma. This is because Microsoft Word 2008 uses a special charachter for comma's instead of the standard , - Microsoft word does this because the special charachter they use, looks 0.1% better than the standard comma.
The client was simply copying/pasting information from word into a textbox which thus tried entering the special charachter into the database.
And as you probably know, if you can escape addslashes(), it means you can SQL Inject.
So a lesson learnt... deffinatly use mysql_escape_string instead of addslashes. mysql_escape_string was able to sanatize the special charachters.
Thought this was worth mentioning incase others were only aware of the upside down ? exploit, you now have other charachters to play around with.
http://shiflett.o. . .ape-string
http://uk3.php.ne. . .
http://uk3.php.ne. . .ape_string
Edited by Mr_Cheese on 09-05-08 17:13
|Interesting post Mr_Cheese, thanks for sharing the info.|
Rank: Hacker Level 3
|Whoa now I have something to play with on my own server tonight ^^|
Thanks a lot, Cheese!
http://uber0n.web. . .
Admin from hell
Location: ENDING YOUR ONLINE EXPERIENCE!
|Nice update Cheese, Something to check and watch out for. Thanks.|
I deal in pain, All life I drain, I dominate, I seal your fate.
|mysql_escape_string or mysql_real_escape_string are definitely the better way to go. they add slashes to a wider range of characters. in the way of stripping \n and \r, it can also prevent things such as CRLF injection, probably other things too.|