Effectiveness of stripslashes against SQL Injection?

php sql database sql-injection stripslashes
Raven Danes picture Raven Danes · Apr 7, 2012 · Viewed 8.5k times · Source

Possible Duplicate:
Best way to defend against mysql injection and cross site scripting
How to include a PHP variable inside a mysql insert statement

I was wondering if anyone had came across the stripslashes statement when getting text from a password field, and if there is any way to do an SQL injection when this is the case?

i.e. in the PHP language you can get text from a password field of a website and pass it through the stripslashes statement to remove any (') so (' OR 1=1 --) becomes (OR 1=1). And makes SQL injections hard to do.

Answer

Quentin picture Quentin · Apr 7, 2012

stripslashes removes slashes (\), which are escape characters, from data, not quotes ('). If anything, it's use will increase the likelihood of an SQL injection vulnerability existing.

To defend against SQL injection use prepared statements and parameterized queries.

Related questions

PHP and MySQL Select a Single Value

I'd like to know how to select a single value from my MySQL table. The table includes columns username and id amongst others (id is auto-increment and username is unique). Given the username, I want to set a session variable $_…

Read More
How to execute raw queries with Laravel 5.1?

So I have this tiny query to run on my DB and it works fine in MySQL Workbench. Basically, a SELECT with LEFT JOIN and UNION with LEFT JOIN again. SELECT cards.id_card, cards.hash_card, cards.`table`, users.…

Read More
Doctrine 2: Update query with query builder

Hi I've got the following query but it doesn't seem to work. $q = $this->em->createQueryBuilder() ->update('models\User', 'u') ->set('u.username', $username) ->set('u.email', $email) ->where('u.…

Read More