How to remove manually added backslashes in SQL injections?

431 views Asked by At

I am using MySQL and PHP to manage my data on my website.

I have a paragraph typed in TeX format which so many mathematical formulas. I want to insert in my database and retrieve the same in some other place.

While retrieving I am using mathjax to display the mathematical part. Problem is while inserting the data.

When I am inserting the data

$\int f d\mu $ ( Note that this '\' is required to run the math formula)

I am getting the inserted data as

$\\int f d \\mu $

There two backslashes instead of one.

How to prevent the backslashes which are added every time with the manually added backslashes (which is required).

Will the stripslashes() help or any other solutions?

Thanks in advance.

<form action="" method="POST">



<input type="hidden" name="id" value=<?php echo $print->Id; ?> >

<table class="speaker-abstract" style="width:49%; float:left;">

  <tr>

  <th> Update the Abstract Details Here </th>
  </tr>

<tr>
<td>
<label> Title of the Talk </label>
<input  style="width:95%" type="text" name="title1"  value="<?php echo $print->title_of_the_talk1; ?>">
</td>


</tr>

<tr>
<td> 
<label> Abstract of the Talk (Type in TeX format) </label>

 <textarea style="width:95%" name="abstract1"  rows="10"  ><?php echo $print->Abstract1; ?></textarea>

 </td>

 </tr>

  </table>

  <table class="speaker-abstract" style="width:49%; float:left;">
  <tr>

  <th> If any other, update the Abstract Details Here </th>
  </tr>

<tr>
<td>
<label> Title of the Talk </label>
 <input style="width:95%" type="text" name="title2" value="<?php echo $print->title_of_the_talk2; ?>">
</td>

</tr>

<tr>
<td> 
<label> Abstract of the Talk  (Type in TeX format) </label>
 <textarea style="width:95%" name="abstract2"  rows="10"  > <?php echo $print->Abstract2; ?> </textarea>

 </td>

 </tr>

  </table>

 <input style="float:right;" type="submit" name="update_abstract" value="Submit/Update"> 

</form>

and the php code to submit the form and display the data is the following.

<?php

$success_msg="Updated Successfull !!!";
$search= "Search the Speaker Here";

if (isset($_POST['update_abstract'])){
$id=$_POST['id'];
$title1=$_POST['title1'];
$title2=$_POST['title2'];
$abstract1=$_POST['abstract1'];
$abstract2=$_POST['abstract2'];

$update=$wpdb->update( 
    'Invited_Speakers_auto', 
    array( 
        'title_of_the_talk1' => $title1,
        'title_of_the_talk2' => $title2,
        'abstract1' => $abstract1,
        'abstract2' => $abstract2

    ), 
    array( 'id' => $id )

);
if ($update==true){

echo $success_msg.$abstract1;

}else
{
 $success_msg="There is an error in the update";
}

}
?>

PS:

  1. Kindly note that, I need the slash which is inserted by the user, I just have remove the slashes which are automatically inserted while sql insertion happens.

  2. stipslashes() Helps me in removing the added slashes in the output.

but I want to remove the backslashes while insertion itself.

1

There are 1 answers

0
Navid On

You can use MySqli or PDO with prepared statement. This is the best known method for sql injection prevention by the way. Learn more about Sql Injection Prevention from this fantastic answer!

Following code successfully inserts the string into MySql Database and reads from it. Hope it helps!

 <?php
    $_user = 'root';
    $_password= 'root';
    $_db = 'localtest';
    $_host = 'localhost';
    $_port = 3306;
    $con = new mysqli($_host, $_user, $_password, $_db) or die(mysql_error);

    $new = '$\int f d\mu $';

        //insert into mysql table
        $sql="INSERT INTO test (math) VALUES (?); ";
        $stmt = $con-> prepare($sql);
        $stmt -> bind_param("s", $new);
        $stmt -> execute();

    // Reading From DB
    $id = 1;
    $sql="SELECT math FROM test WHERE id = ?";
    $stmt = $con->prepare($sql);
    $stmt->bind_param("i", $id);
    $stmt -> execute(); 
    $stmt->store_result();
    /* Get the number of rows */
    $num_of_rows = $stmt->num_rows;

    /* Bind the result to variables */
    $stmt->bind_result($new);

    if($num_of_rows < 1){ 
        echo "Can't find any record!"; 
        mysqli_close($con); 
        exit();
    }
    while ($stmt->fetch())
    {
        echo $new . PHP_EOL;

        /* free results */
        $stmt->free_result();

    }
    mysqli_close($con); 
    exit();
   ?>

Update

If you can't use PDO or MySqli then mysql_real_escape_string can help you properly escape special characters.

You can also try to use htmlentities before inserting into database and then html_entity_decode when retrieved.