1

I am using mysql_real_escape_string to save content in my mySQL database. The content I save is HTML through a form. I delete and re-upload the PHP file that writes in DB when I need it.

To display correctly my HTML input I use stripslashes()

In other case, when I insert it without mysql_real_escape_string, I do not use stripslashes() on the output.

What is your opinion? Does stripslashes affect performance badly ?

EnexoOnoma
  • 8,454
  • 18
  • 94
  • 179

5 Answers5

3

Do not use stripslashes(). It is utterly useless in terms of security, and there's no added benefit. This practice came from the dark ages of "magic quotes", a thing of the past that has been eliminated in the next PHP version.

Instead, only filter input:

  • string: mysql_real_escape_string($data)
  • integers: (int)$data
  • floats: (float)$data
  • boolean: isset($data) && $data

The output is a different matter. If you are storing HTML, you need to filter HTML against javascript.

Edit: If you have to do stripslashes() for the output to look correctly, than most probably you have magic quotes turned on. Some CMS even made the grave mistake to do their own magic quotes (eg: Wordpress). Always filter as I advised above, turn off magic quotes, and you should be fine.

Christian
  • 27,509
  • 17
  • 111
  • 155
  • The description field has `\"/29/76/1302120047629.jpg\"` What is the code that will show this on a page instead of stripslashes ? – EnexoOnoma Aug 18 '11 at 21:54
  • @Nikolai - As I said, you have to use `stripslashes()` in your case but only because **magic quotes is turned on**. This setting is useless, in fact it is being removed. If you turn it off and re-enter the content, you won't need to use `stripslashes()`. – Christian Aug 18 '11 at 21:57
  • I am on a shared server, I guess that will lead me in endless tickets. So, I guess I have to use `mysql_real_escape_string` for strings and `stripslashes`. – EnexoOnoma Aug 18 '11 at 22:01
1

Do not think about performance, think about security. Use mysql_real_escape_string everytime you're inserting data into DB

genesis
  • 50,477
  • 20
  • 96
  • 125
1

No, don't escape it. Use prepared statements instead. Store your data in its raw format, and process it as necessary for display - for example, use a suitable method to prevent Javascript from executing when displaying user supplied HTML.

See Bill Karwin's Sql Injection Myths and Fallacies talk and slides for more information on this subject.

See HTML Purifier and htmlspecialchars for a couple of approaches to filter your HTML for output.

Mike
  • 21,301
  • 2
  • 42
  • 65
0

It is always best to scrub your data for potential malicious or overlooked special characters which might throw errors or corrupt your database.

Per PHP docs, it even says "If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks."

Christian
  • 27,509
  • 17
  • 111
  • 155
AlienWebguy
  • 76,997
  • 17
  • 122
  • 145
0

Check out a database abstraction library that does all this and more for you automatically, such as ADOdb at http://adodb.sourceforge.net/

It addresses a lot of the concerns others have brought up such as security / parameterization. I doubt any performance saved is worth the developer hassle to do all this manually every query, or the security practices sacrificed.

codercake
  • 1,017
  • 7
  • 6