1

I'm using PHP with adodb but come up against a massive problem. I'm using adodb to speed up development so I can do thing like:

$r["Name"] = $_POST['txtName'];

if ($_POST["ID"] != "")
  $conn->AutoExecute("content", $r, 'UPDATE', 'AutoID = ' . $_POST["ID"]);      
else
  $conn->AutoExecute("content", $r, 'INSERT');

However if that name was to have a single quote in it saves into db with a slash! So if the name is Testimonial's it will save as Testimonial\'s which is causing me massive problems, is there anyway I can avoid this but still program like above as it's hell of a lot quicker than preparing insert / update statements.

Cheers

Improve this question
4
  • It is doing that so you don't end up with a hacked/broken database. My advice is to leave it like that in the DB and fix it on the way out. Commented Nov 24, 2010 at 13:41
  • You probably have magic_quotes enabled. Try phpinfo() to find out whether that is the case Commented Nov 24, 2010 at 13:50
  • @Dampe nope. If slashes actually make it into the database, something is broken Commented Nov 24, 2010 at 14:05
  • @Pekka: I figured this was something ADO was doing. But you are probably right about magic_quotes. Commented Nov 24, 2010 at 14:08

2 Answers 2

Reset to default
3

The correct and final solution to this issue is composed of two parts:

  1. Disable all magic_quotes programmatically in your code. This ensures that you have a known configuration to work with, which cannot be broken if/when an admin changes these php.ini settings.
  2. Validate/quote all incoming user input before accessing the database!

While the first part is good programming, the second is absolutely essential to write a secure application!

To quote the user input there are two ways you can go:

  1. Manually (use AdoDB's qstr or Quote), in which case you must be very very careful to not miss anything. This can be quite doable for small projects, I have gone this way many times in the past.
  2. Use prepared statements with bound variables to make your queries. This ensures that there will never be an SQL injection in your app as long as you specify the variable types correctly, and is way less error prone than the first option. This is what I am doing for some time now.

Update:

If you go with prepared statements, you may find that AdoDB doesn't buy you that much and you can use PDO for most of the work. When you need something "automagic", you can write a few functions specific to the application yourself. In my experience, that's just a little more work and overall better than including AdoDB.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi Thanks, for this.. Do you know of a suitable validation class to ensure that the user input is clean?
Edited my answer, please take a look. When validating manually, you can also use the more convenient intval() for integer input (e.g. db record ids) which is probably most of the time.
0

Thanks for the input, I've decided to turn of magic quotes at runtime with this function:

if (get_magic_quotes_gpc()) {
    function stripslashes_gpc(&$value)
    {
        $value = stripslashes($value);
    }
    array_walk_recursive($_GET, 'stripslashes_gpc');
    array_walk_recursive($_POST, 'stripslashes_gpc');
    array_walk_recursive($_COOKIE, 'stripslashes_gpc');
    array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}

However is that then prone to SQL injection?

Improve this answer

1 Comment

Yes it is, unless you use prepared statements for all your queries. Have a look at my answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.