<p>Hi Julian,</p>
<p>from a security perspective the use of stripslashes is a bad idea.</p>
<p>The magic quotes feature adds these backslashes to escape the "dangerous" characters (i.e. ') for database use.</p>
<p>Basically it's a weak version of what sqlite_escape_string et al are doing and stripslashes reverts this.</p>
<p>If the intention is to remove all backslashes, stripslashes is definately not the right function. All that's required to defeat it is using two backslashes for one to remain.</p>
<p>As for the expected need: In our case it'll probably be about every second drop-off as users will be asked to upload a file in some more or less arbitrary directory for analysis.</p>
<p>To recap: stripslashes does nothing to improve security, all it does is decrease security if *_escape_string is forgotten, magic_quotes is either on or off.<br>
Additionally it'll garble user input if magic_quotes off (which is the default for new installs).</p>
<p>Cheers<br>
Jörg</p>
<div class="gmail_quote">Am 03.02.2012 18:12 schrieb "Jules" <<a href="mailto:Jules@zend.to">Jules@zend.to</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
How often do people need to put in backslashes? Versus the danger of<br>
missing an instance of escaping-based injection because of not removing<br>
them? I would personally prefer to play safe.<br>
<br>
If we can *guarantee* that it won't lessen security *at all*, then we<br>
can not remove all backslashes.<br>
<br>
Jules.<br>
<br>
On 03/02/2012 16:49, Joerg Streibhardt wrote:<br>
> Hi Jules<br>
><br>
> my first real user informed me that the backslashes he typed into the<br>
> message were removed.<br>
> After looking around for a bit I noticed that most if not all<br>
> instances of stripslashes are called whether PHP added those "magic<br>
> quotes" or not.<br>
><br>
> Unfortunately I'm unable to globally enable magic quotes and the<br>
> manual states that:<br>
><br>
>> This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.<br>
>> <a href="http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc" target="_blank">http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc</a><br>
> I've changed the setting locally for ZendTo by adding<br>
>> php_flag magic_quotes_gpc on<br>
> in the apache-configuration for<Directory /opt/zendto/www/>.<br>
><br>
> I think stripslashes should only be used if get_magic_quotes_gpc()<br>
> returns true. Removing it altogether is probably not a good idea at<br>
> this time.<br>
><br>
> What do you think?<br>
><br>
> Cheers<br>
> Jörg<br>
><br>
> _______________________________________________<br>
> ZendTo mailing list<br>
> <a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
> <a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
<br>
Jules<br>
<br>
--<br>
Julian Field MEng CITP CEng<br>
<a href="http://www.Zend.To" target="_blank">www.Zend.To</a><br>
<br>
Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a><br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>
'It's okay to live without all the answers' - Charlie Eppes, 2011<br>
'All programs have a desire to be useful' - Tron, 1982<br>
'That is the land of lost content,<br>
I see it shining plain,<br>
The happy highways where I went,<br>
And cannot come again.' - A.E. Houseman<br>
<br>
<br>
_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
</blockquote></div>