Beware of the trailing backslash

January 24th, 2008 by Alistair MacDonald Leave a reply »

I have been working on a pet PHP project that will be maintained by others who are not professional developers. They are intelligent people but are probably unaware of code and SQL injection, never mind know how to avoid it. As a result I have been encapsulating all the client interaction and a set of easy to understand libraries. It was while working on this I came across a scenario that I would not otherwise have come across, that being problems caused by a trailing backslash in an edit field.

Although a training backslash is rarely a problem nowadays as we have magic_quotes_gpc enabled by default on most new servers, there are occasions when you need to strip the slashes and encode as HTML using htmlspecialchars or the like. The problem is that if the last character is a backslash, and a string is appended to another (like when building an SQL query), then it will cause the first character in the appended string to be escaped.

Although the risk of attach is small as it would rely on two sets of data from the user being fed through, and the user knowing the order, it is still a risk, and an easy way to screw with a site.

As an experiment I decided to try screwing with some popular open source projects by ending my field values with a backslash, and guess what, on a small few it caused chaos. The common problem is that the server goes in to overdrive until it times out, that or you get back an interesting error message. If I have time I will look at the potability of using this as a way to inject my SQL, and then look at easy ways to fix it.

So, if you ever use stripslashes remember to think about the trailing backslash.

Advertisement

Leave a Reply

css.php