addslashes is the basics for security? [duplicate]

3

I have a site with login system, where you will find a forum with comments.

I wanted to know if the addslashes function would be at least the basics to prevent malicious code, such as page redirection, sql injection?

    
asked by anonymous 31.03.2016 / 23:49

2 answers

6

The addslashes () function is used to escape backslashes, single quotes, and more. It is not enough to escape HTML, CSS or JavaScript content.

To escape HTML content, use functions like strip_tags () , which removes tags or, use htmlentities () if you want to display HTML content as text.

Practical example of the 3 functions:

addslashes ()

$str = "Is your name O'Reilly?";

// Outputs: Is your name O\'Reilly?
echo addslashes($str);

The function adds the escape character (backslash) for every single quote found .

Note that there is a magic_quotes_gpc directive in PHP. In versions lower than PHP5.4, this policy might be enabled. So it's important to check whether or not it's enabled on those versions of PHP. When magic_quotes_gpc is active, addslashes () is automatically applied to the global variables $_GET , $_POST , $_COOKIES .

strip_tags ()

$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);

The function removes everything that is HTML, and JavaScript and CSS tags.

The second parameter of the function is used to specify exceptions:

$text = 'foo<br>bar';
echo strip_tags($text, '<br>');

In this second example, remove all HTML tags except the <br> tag

To prevent SQL injection attacks, prefer functions like mysqli_real_escape_string () . For more details on the subject see this link: Using the addslashes against SQL injection is secure?

htmlentities

Converts special characters, that is, non-alpha numeric characters, into HTML entities.

Simply put, you should have already seen codes of this type a&ccedil&atilde; in the HTML code and the browser page appears as ação . This is HTML entities.

The main utility is to allow HTML code to be viewed without being interpreted, that is, it will be treated as plain text.

Suppose you want to display an HTML code <b>texto</b> . Then you can use HTML entities:

echo htmlentities('<b>texto</b>');

Another common use and I do not recommend is to display characters from multibyte languages or even accented Latin characters.

Note: Do not confuse HTML Entities with URL encoded ( urlencode () ). Both are different encodings.

    
01.04.2016 / 00:46
1

In part yes, addslashes protects against most SQLInjection codes but not all, its only functionality is to transform the character quotation by adding an arrab (\).

Aside from these SQLInjection commands, there are more complex ones that are not made through forms on your page, which for good security is recommended to use users and permissions in the database.

As a forum where people can leave comments, it is possible to inject javascript , with session theft scripts, comment exclusion, among others. If you have any further questions please let us know by Cross-Site Scripting (XSS) .

These are some of the most common vulnerabilities encountered, there are still other means of scripting and website intrusion. This link contains some known vulnerabilities See here!

    
01.04.2016 / 00:45