Effectiveness of stripslashes against SQL Injection?

Raven Danes picture Raven Danes · Apr 7, 2012 · Viewed 8.5k times · Source

Possible Duplicate:
Best way to defend against mysql injection and cross site scripting
How to include a PHP variable inside a mysql insert statement

I was wondering if anyone had came across the stripslashes statement when getting text from a password field, and if there is any way to do an SQL injection when this is the case?

i.e. in the PHP language you can get text from a password field of a website and pass it through the stripslashes statement to remove any (') so (' OR 1=1 --) becomes (OR 1=1). And makes SQL injections hard to do.

Answer

Quentin picture Quentin · Apr 7, 2012

stripslashes removes slashes (\), which are escape characters, from data, not quotes ('). If anything, it's use will increase the likelihood of an SQL injection vulnerability existing.

To defend against SQL injection use prepared statements and parameterized queries.