vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   SQL Injection Qs (https://vborg.vbsupport.ru/showthread.php?t=80217)

Adrian Schneider 04-20-2005 01:31 AM
SQL Injection Qs
 
How do you strip non alphanumeric characters from a string? I noticed people suggesting globalize() then setting each variables type to STR or INT, etc. Does the STR do that (I noticed it uses trim).

How does using trim compare with addslashes or the built-in mysql commands?

Thanks

filburt1 04-20-2005 02:07 AM
Have you read the relevant manual pages for trim() and addslashes()?

Adrian Schneider 04-20-2005 03:08 AM
Yes, read both of them.

PHP Code:
<?php

$input "'a'";
$output addslashes($input);

echo $output;
?>
Produces \'a\'

and

PHP Code:
<?php

$input "'a'";
$output trim($input);

echo $output;
?>
produces 'a'

How would I just show the a?

Guest190829 04-20-2005 03:49 AM
I think you would use stripslashes() when accessing the information with whatever query. I'm still learning too though.

Marco van Herwaarden 04-20-2005 06:03 AM
If you want to REMOVE all quotes, you would have to use a str_replace or preg_replace.

If you just want to create a version of your string that is safe to insert into a SQL, use addslashes to store, and if needed stripslashes later to retrieve the original string (vB does stripslashes automaitc in some cases).

Revan 04-20-2005 09:30 AM
Or use mysql_real_escape_string() instead of addslashes.
I am writing a script for my site which is not vB powered, and it automatically strips the slashes from the mysql_real_escape_string()'d result.

Dean C 04-20-2005 12:06 PM
Yep mysql_real_escape_string should be used instead of addslashes :) To strip non-alphanumeric characters you would use something like this:

PHP Code:
$string preg_replace('/[^A-Za-z0-9]+/'''$string); 

Marco van Herwaarden 04-20-2005 01:11 PM
I still have not found a good reason to prefer mysql_real_escape_string above the defacto standard in vB scripts addslashes.

filburt1 04-20-2005 01:46 PM
You should probably avoid using it as vB is designed (mostly) so that the database layer is below the application layer. Rephrased, it is not coded to be used just with MySQL through the use of the database wrapper class which can be modified to use any other supporting SQL-capable database.

It seems to escape more than quotes, but I thought it was only quotes that caused the problem. For example, it also escapes newlines for some reason. But, they wrote a full page on SQL injection at http://us4.php.net/manual/en/securit...-injection.php .

Marco van Herwaarden 04-20-2005 03:18 PM
Quote:
Originally Posted by filburt1
You should probably avoid using it as vB is designed
You are talking about mysql_real_escape_string i suppose?


All times are GMT. The time now is 10:57 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01085 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete