Jump to content

[SOLVED] POST method automatically escaping strings?

dbingham

By dbingham
in PHP Coding Help

 Share

Recommended Posts

dbingham Newbie

dbingham

Posted
Posted

I've discovered that the post method seems to be auto-escaping my strings for me.  I've been working on a simple PHP/MySQL front end/back end combination and have been researching security for said combination.  Every thing I've looked at said that I should run all my strings through mysql_real_escape_string() before sending them to mysql_query() to as a preventative against SQL Injection attacks. 

 

However, I've discovered that the post method itself seems to do the job of mysql_real_escape_string() all on it's own.  My strings to seem to be escaped already when they're in the $_POST array!  These are strings entered into text fields in a form that is then sent to the processing script via the post method.  When they arrive /, ' and " are all escaped.  And when I run the strings through mysql_real_escape_string() the function then double escapes everything, which results in a bunch of / being inserted into my data.  Does anyone know if POST is supposed to do this?  Is there some setting I can use to turn it off and on?  Is POST's escaping as secure and effective as mysql_real_escape_string?

 

I did a few precursory searches for threads existing on this topic and found none, and I've found no mention of this in the documentation anywhere.  I'm really rather baffled.

dbingham Newbie

dbingham

Posted
  • Author
Posted

I actually discovered what appears to be the answer shortly after posting.  The issue is magic_quotes.  I found I had magic_quotes_gpc enabled on my server (it's apparently enabled by default pre-6.0 but won't be enabled by default after that).  I went and disabled it, but I'm not wondering how many of my third party PHP/MySQL applications depended on it for escaping or if they handled it well.  Gonna have to go through and look at their code.

KevinM1 Advanced Member

KevinM1

Posted
Posted

It sounds as though you both have Magic Quotes turned on.  Try the following function:

<?php
   function myEscape($value)
   {
      return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($value)) : mysql_real_escape_string($value);
   }

   $name = myEscape($_POST['name']);
?>

DarkWater Member

DarkWater

Posted
Posted

No application should rely on magic_quotes_gpc.  And also, they're not off by default in PHP6...they don't even EXIST in PHP6.  And yes, use Nightslyr's code so it's safe on any server.  Obviously you should rename the function though so you know what it does.

dbingham Newbie

dbingham

Posted
  • Author
Posted

It sounds as though you both have Magic Quotes turned on.  Try the following function:

<?php
   function myEscape($value)
   {
      return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($value)) : mysql_real_escape_string($value);
   }

   $name = myEscape($_POST['name']);
?>

 

Will do.  Thanks a bunch.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.