3
I have a site with login system, where there is a forum with comments.
I wondered if the addslashes function would be at least basic to prevent me from malicious code, such as page redirection, sql Injection?
2 answers
6
The function addslashes() is used to escape backslashes, single quotes, among other characters. It is not enough to escape HTML, CSS or Javascript content.
To escape HTML content, use functions such as strip_tags(), which removes tags or, use htmlentities() if you want to display HTML code content as text.
Practical example on the 3 functions:
addslashes()
$str = "Is your name O'Reilly?";
// Outputs: Is your name O\'Reilly?
echo addslashes($str);
The function adds the escape character (backslash) for each single quote (quotation mark) found.
Note that in PHP there is a directive magic_quotes_gpc. In versions lower than PHP5.4, this directive could be enabled. So it is important to check whether it is enabled in these versions of PHP. When magic_quotes_gpc is active, addslashes() is automatically applied to global variables $_GET, $_POST, $_COOKIES.
strip_tags()
$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
The function removes everything that is HTML, and Javascript and CSS tags.
The second function parameter serves to specify exceptions:
$text = 'foo<br>bar';
echo strip_tags($text, '<br>');
In this second example, remove all HTML tags except the tag <br>
To prevent attacks of SQL injections, prefer functions such as mysqli_real_escape_string(). For more details on the subject see this link: Using addslashes against SQL injection is safe?
htmlentities
Converts special characters, i.e., non-alpha numeric characters, into HTML entities.
To put it simply, you’ve probably seen codes like this before açã in the HTML code and the browser page appears as ação. These are the HTML entities.
The main utility is to allow you to view HTML codes without them being interpreted, that is, they will be treated as plain text (Plain/text).
Suppose you want to display an HTML code <b>texto</b>. Then you can use HTML entities:
echo htmlentities('<b>texto</b>');
Another common and not recommended use is to display multibyte language characters or even Latin accented characters.
Note: Do not confuse HTML Entities with URL encoded (urlencode()). For both are distinct encodings.
1
In part yes, the addslashes protects against most codes of SQLInjection but not all, its only feature is to transform the quote into character by adding an arrab (\).
Apart from these commands of SQLInjection, there are other more complex ones that are not done through forms on your page, thing that for good security is recommended the use of users and permissions in the database.
As it is a forum where people can leave comments, it is possible to do the injection of javascript, with session theft scripts, comment deletion, among others. If you have more questions search for "Cross-Site Scripting (XSS)".
These are some of the most common vulnerabilities you find, yet there are other means of scripting injection and website hacking. This link contains some known vulnerabilities See here!
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
It just depends on the context. If it’s to prevent Injection, each DB api/lib has its own way. Normally addslashes should not be used, and that is not the purpose of it.
– Bacco
PS: If the answers to the question indicated as an alternative are not enough, just [Dit] yours adding the context to make it more specific and leave a comment, that we vote to reopen.
– Bacco