addslashes for database sanatization
for those of you that may use addslashes() in php to sanatize user input before being entered into the database… i may have some interesting news for you.
many use addslashes to make sure values can be added safely into a database.
some of you may not be aware that addslashes isnt "secure". many developers prefer mysql_escape_string() isntead as this is a much more effective and secure way of sanatizing data.
the other day a couple of our clients had problems saving information. this was due to them using an old system that used addslashes() to enter information itno the database.
I know that upside down question marks escape addslashes() but was unaware of other charachters that may do so.
We discovered that some charachters produced by microsoft word 2008 actually escaped addslashes aswell. One of the charachters was the comma. This is because Microsoft Word 2008 uses a special charachter for comma's instead of the standard , - Microsoft word does this because the special charachter they use, looks 0.1% better than the standard comma.
The client was simply copying/pasting information from word into a textbox which thus tried entering the special charachter into the database.
And as you probably know, if you can escape addslashes(), it means you can SQL Inject.
So a lesson learnt… deffinatly use mysql_escape_string instead of addslashes. mysql_escape_string was able to sanatize the special charachters.
Thought this was worth mentioning incase others were only aware of the upside down ? exploit, you now have other charachters to play around with.
Useful links: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://uk3.php.net/addslashes http://uk3.php.net/mysql_escape_string