add/strip slashes confusion

add/strip slashes confusion

Gonzalo Serrano發表於
Number of replies: 7
Hi there,

I'm having some problems understanding when to use or not use addslashes() and stripslashes() functions.

For example, in http://docs.moodle.org/en/Development:Coding , point 15, it says:

Incoming data from the browser (sent via GET or POST) automatically has magic_quotes applied (regardless of the PHP settings) so that you can safely insert it straight into the database. All other raw data (from files, or from databases) must be escaped with addslashes() before inserting it into the database. Because this is so often done incorrectly, there is more explanation on this issue of adding and stripping slashes on a separate page.

In that separate page ( http://docs.moodle.org/en/Developer:Slashes ) it says something like:

Neither stripslashes() nor addslashes() should be used when going from User Input to the Database or from the Database to Screen Output (black arrows) but stripslashes() should be used when displaying user input on the screen (red arrow) and addslashes() should be used when reinserting data in to the database that came from the database (blue arrow). These last two are rare, so the use of addslashes and stripslashes should be rare.

Due to 99% of the code i'm touching is dealing with UserInput (optional_param() etc) «» DataBase (Moodle's DB API), does this mean i don't need to use ever addslashes() and stripslashes() in my code?

For example, i'm getting via GET a string called a'a"a which i need to store in a DDBB field of a certain table, and i belive the right thing to do is to store it as a\'a\"a to avoid security attacks (SQL injections and stuff). Is this right?

So, for this I use a form and urlencode() to get the value from the user and then i understand that the browser decodes it automatically (so i don't need to use urldecode() ever), and after that i use optional_param() to capture that value, which i store in a variable and finally i insert it to the DDBB with insert_record() moodle function from dmllib.php. The other way around, i use something that calls get_record_select() to read that value from DDBB.

In this "workflow" (huh) i don't know if i should use addslashes() before saving to DDBB and stripslashes() after reading from DDBB.

Excuse my english and thanks.

評比平均分數: -
In reply to Gonzalo Serrano

Re: add/strip slashes confusion

sam marshall發表於
Core developers的相片 Peer reviewers的相片 Plugin developers的相片
First, I personally think the Moodle situation with (and treatment of) slashes is confusing and more or less the opposite of what ought to happen. It attempts to achieve security when people don't know what they're doing, but I think it does so at completely the wrong point, and I'm not quite sure that's an achievable goal anyway.

But, although wrong and confusing, the current system is not totally incomprehensible. Here's what happens:

1) When you call optional_param or required_param, the value gets slashes.

2) When you call insert_record or update_record, the value you are putting in MUST have slashes. (note: this also applies to some of the parameters in things like get_record, iirc.)

3) When you call get_record, the values in the objet you get out DO NOT have slashes.

I think this means your situation is OK.

The main situation in which this scheme causes problems you might not notice is if you get a record using get_record then use update_record to change it. If you do that you need to add slashes to all the values first! (The other problem situation is if there's a case where you do get_record, but then create it using insert_record if it doesn't exist, and then rely on the values later; when creating it in this case, you need to add slashes before inserting the record but remove them afterward so it's the same as from get_record.)

When developing code it is good practice to test every user-editable input field with a string like the following:

&<'\日本語

This tests HTML escaping, DB escaping, and Unicode input/output. (Of course it isn't just visible user input fields where slashes can be important, but usually in moodle it's more likely that you accidentally double-slash something than that you fail to add slashes and introduce an sql injection bug. Maybe that means the crazy system is working! sigh 微笑

--sam
評比平均分數: -
In reply to sam marshall

Re: add/strip slashes confusion

Gonzalo Serrano發表於
Thanks a lot for your explanations, it's much clear right now 微笑

Bye
評比平均分數: -
In reply to Gonzalo Serrano

Re: add/strip slashes confusion

Valery Fremaux發表於

Gonzalo

do care that PARAM_TEXT and PARAM_CLEANHTML do have not the same behaviour regarding to slashes.

VF.

評比平均分數: -
In reply to Valery Fremaux

Re: add/strip slashes confusion

Gonzalo Serrano發表於
Thanks Valery, i'm already aware of this 微笑

BTW, i'm confused with something: i'm slashing the data before inserting to DDBB but when i check DDBB data content ain't slashed (!).

For example, i've added a print_object($insertSQL) variable in dmllib.php::insert_record() and it shows me somthing like:

INSERT INTO m19nw19_wiki_locks ( WIKIID, PAGENAME, LOCKEDBY, LOCKEDSINCE, LOCKEDSEEN, GROUPID, OWNERID ) VALUES ( 8, '0_0_a\'a\'a\'a\'a', 3, 1205144554, 1205144554, 0, 0 )

Where pagename has the single quotes slashed to avoid SQL injection.

Well, when i look at database with mysql command line or with phpMyAdmin i don't find those slashes (see attached screenshot).

Is this an expected behaviour?

Thanks
附件 resized_slashes.jpg
評比平均分數: -
In reply to Gonzalo Serrano

Re: add/strip slashes confusion

Iñaki Arenaza發表於
Core developers的相片 Documentation writers的相片 Peer reviewers的相片 Plugin developers的相片

Is this an expected behaviour?

Yes it is. The slashes are needed just to quote the quotes 微笑, so the real content in the db only has the quotes, but not the backslashes.

Saludos. Iñaki.

評比平均分數: -
In reply to Iñaki Arenaza

Re: add/strip slashes confusion

Gonzalo Serrano發表於
Eskerrik asko (which means thanks) Iñaki for answering.

Just a final doubt: you say that this is an expected behaviour, but it's the right thing to do?

Thanks a lot and sorry for asking but i need to be very sure that what i program is correct.
評比平均分數: -
In reply to Gonzalo Serrano

Re: add/strip slashes confusion

Iñaki Arenaza發表於
Core developers的相片 Documentation writers的相片 Peer reviewers的相片 Plugin developers的相片

but it's the right thing to do?

Everytime you are going to talk to the database, you need to make sure all the values you use in that query are 'slashed'. No matter if you are doing a select, insert or update. Either they are automatically slashed by Moodle if they come from the user, or you have to do it manually in the code.

Those slashes are stripped by the database while it parses the SQL statement (after all they are simply quotes), and never stored in the record. That's why you need to re-slash things if you are using values from a get_record*() function in later calls to database functions, as Sam has told you.

I hope Moodle 2.0 implements prepared statements and we can forget all these pesky details once and for all 微笑

Saludos. Iñaki.

評比平均分數: -