All geek questions in one place

What is the meaning of stripslashes PHP function?

Suppose you have the following:

<?php

    $connection = mysqli_connect("host", "root", "passwd", "dbname");

    $habits = mysqli_real_escape_string($connection, $_POST['habits']);

?>

Suppose you enter the value “tug o 'war” for a field called “habits”. Therefore, the mysqli_real_escape_string function will avoid the second quote character, and the database engine will not be fooled into thinking that this value is "tug o". Instead, he will know that value is actually "towing" the war. My question is: why then stripslashes function? The stripslashes function will simply remove the good work performed by the mysqli_real_escape_string function. Removing the backslash will simply return you to where you were, and the database will again be tricked. Can it be assumed that the stripslashes function is NOT used for database purposes? That is, will this part of the code be completely pointless ?:

<?php

    $connection = mysqli_connect("host", "root", "passwd", "dbname");

    $habits = mysqli_real_escape_string($connection, $_POST['habits']);

    $undosomething = stripslashes($habits);

    echo '$undosomething';

?>

If strapslashes is NOT used for database purposes, what exactly is it used for?

+4
5

Manual, stripslashes() , , , . : PHP , . , , , escape- . Stripslashes() , , , PHP: .

PHP, , , ; :

    ... useful when mSQL or Postgres95 support is enabled
    since ... single quote has to be escaped when it is 
    part of [a] ... query ... 

                        (See php.h in PHP/FI [php-2.0.1] )

addlashes(), . O'Reilly O\'Reilly. stripslashes() . stripslashes() , , , , PHP5.3, PHP5.4 (. Manual).

, PHP, . , $_GET, JavaScript, url, :

location.href="next_page.php?name=O%27Riley"; // $_GET['name'] == O\'Riley

$_GET ['name'] addlashes(), mysqli_real_escape_string(), , :

O\\\'Riley

, . . , :

O\'Riley

stripslashes() , . JavaScript, :

location.href="http://localhost/exp/mydog.php
?content=My%20dog%20doesn\\\\\\\\\\\\\%27t%20
like%20to%20stay%20indoors."

stripslashes(), :

function removeslashes($string)
{
    while( strpos( $string, "\\" ) !== FALSE ) {
      $string = stripslashes( $string );
    }
    return $string;
}

$text = htmlentities($_GET['content']);
if (strpos($text,"\\") !== FALSE ) {
    echo removeslashes( $text );
}

: stripslashes() .

+1

. , . JavaScript, , "It's". , $_GET , "". mysqli_real_escape_string() ( ), , . . .

+2

addslashes():

w3schools.com - .
php.net -

stripslashes():

w3schools.com - , addslashes().
php.net -

<?php

  $str = "Who Peter Griffin?";

  echo $str . " This is original string." . PHP_EOL;

  echo addslashes($str) . " This is addslashes string." . PHP_EOL;

  echo stripslashes(addslashes($str)) . " This is stripslashes string."  . PHP_EOL;

?>

Embed PHP online:

body, html, iframe { 
  width: 100% ;
  height: 100% ;
  overflow: hidden ;
}
<iframe src="https://ideone.com/2DNzNJ"></iframe>
Run codeHide result
+1
source

No point in stripslashes().

Some people are used to thinking that this provided them with security, but as you can see, it is not. It should be completely removed from PHP, but it was not.

0
source

mysqli_real_escape_string and stripslashes Does not support SQL injection. Use prepared reports. Sample code.

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "my_database");
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

/* Prepared statement, stage 1: prepare */
if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) {
    echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}

$id = 1;
if (!$stmt->bind_param("i", $id)) {
    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}

if (!$stmt->execute()) {
    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
?>
0
source

Source: https://habr.com/ru/post/1568988/

More articles:


All Articles