[ZendTo] Re: unconditional use of stripslashes, missing backslashes.

Joerg Streibhardt eljoest+lists at googlemail.com
Fri Feb 3 17:37:45 GMT 2012 

Hi Julian,

from a security perspective the use of stripslashes is a bad idea.

The magic quotes feature adds these backslashes to escape the "dangerous"
characters (i.e. ') for database use.

Basically it's a weak version of what sqlite_escape_string et al are doing
and stripslashes reverts this.

If the intention is to remove all backslashes, stripslashes is definately
not the right function. All that's required to defeat it is using two
backslashes for one to remain.

As for the expected need: In our case it'll probably be about every second
drop-off as users will be asked to upload a file in some more or less
arbitrary directory for analysis.

To recap: stripslashes does nothing to improve security, all it does is
decrease security if *_escape_string is forgotten, magic_quotes is either
on or off.
Additionally it'll  garble user input if magic_quotes off (which is the
default for new installs).

Cheers
Jörg
Am 03.02.2012 18:12 schrieb "Jules" <Jules at zend.to>:

> How often do people need to put in backslashes? Versus the danger of
> missing an instance of escaping-based injection because of not removing
> them? I would personally prefer to play safe.
>
> If we can *guarantee* that it won't lessen security *at all*, then we
> can not remove all backslashes.
>
> Jules.
>
> On 03/02/2012 16:49, Joerg Streibhardt wrote:
> > Hi Jules
> >
> > my first real user informed me that the backslashes he typed into the
> > message were removed.
> > After looking around for a bit I noticed that most if not all
> > instances of stripslashes are called whether PHP added those "magic
> > quotes" or not.
> >
> > Unfortunately I'm unable to globally enable magic quotes and the
> > manual states that:
> >
> >> This feature has been DEPRECATED as of PHP 5.3.0. Relying on this
> feature is highly discouraged.
> >>
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
> > I've changed the setting locally for ZendTo by adding
> >> php_flag magic_quotes_gpc on
> > in the apache-configuration for<Directory /opt/zendto/www/>.
> >
> > I think stripslashes should only be used if get_magic_quotes_gpc()
> > returns true. Removing it altogether is probably not a good idea at
> > this time.
> >
> > What do you think?
> >
> > Cheers
> > Jörg
> >
> > _______________________________________________
> > ZendTo mailing list
> > ZendTo at zend.to
> > http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'It's okay to live without all the answers' - Charlie Eppes, 2011
> 'All programs have a desire to be useful' - Tron, 1982
> 'That is the land of lost content,
>  I see it shining plain,
>  The happy highways where I went,
>  And cannot come again.' - A.E. Houseman
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20120203/2351a6b0/attachment.html

More information about the ZendTo mailing list