Hmmm…. messages like:
User added (assuming there are no errors). Gee I was half-arsed in making this.
Are not great to see, particularly when you are the one that wrote them. Mind you, the system has been working for three years, so it can’t be all that bad. Nevertheless I shall rewrite it one day to integrate with WordPress. Must fix those “addslashes” bits as well. Stupid server changes and lazy coding (never a good mix).
Regarding slashes, it would probably only take you 5min to scatter mysql_escape_string throughout your code and turn off the add-slashes directive (if it\’s turned on). It would also help harden the site against hacking. This is the biggest awards night of the year after all, surely it doesn\’t deserve slashes.
I too shudder when I look at my three year old PHP code, and not just because it is very cold in Melbourne and I was shuddering anyway.
Cheers,
Will.
Actually this can’t be exploited as a security vulnerability. If the server changes the code should remain secure (because data values are always escaped anyway). The problem is it is just escaped twice, which mean that you see the original escape characters. I will be posting an article about SQL injection attacks soon (after critical uni assignments have been finished).
I do agree though that it really hurts the professionalism of the site, which is why I’ve been careful to remove them manually as quickly as possible.
You are right, although escaping strings using the mysql method is probably better than addslashes as it was written exclusivly for MySQL to prevent SQL injection attacks.
One thing I have learnt is that is is by far easier to write vulnerable PHP code than vulnerable Java code (Java has a lovely thing called a PreparedStatement…).
Will.
And that’s where abstraction layers come in. The problem isn’t so much in that it is easier to write vulnerable code in one language than an other, it’s that bad habits are easy to pick up in one language compared to another. Often it happens if the language is designed to give you the quickest way to achieve a result.
Ultimately the same amount of effort is involved because the same processes that cause the vulnerabilities are used. Sure, Java may have a PreparedStatement, but that’s useless if you don’t use it. It isn’t a language specific thing, but rather how one approaches programming problems.
Yes, having the abstraction layer native within the language is nice, and something that is missing from an out of the box PHP installation. However if you are using one database type exclusively (and are prepared to recode in the event of a switch) then the standard statements are ideal.
As for addslashes, in a MySQL environment it works just fine. The trick again is to use the method that is relevant to the database you are working with.
True.
I am a big fan of abstraction layers
I use them everywhere. Databases, input methods, OpenGL. Can’t get enough!
Will.