Jump to content

[SOLVED] Magic Quotes, Do I have this right?

Prodigal Son

By Prodigal Son
in PHP Coding Help

Recommended Posts

Prodigal Son Member

Prodigal Son

Posted
Posted

I've been messing up with magic quotes. I was inserting stuff into db with mysql_real_escape_string with magic quotes on. And something like "Larry's" would end up being "Larry\'s". I would use stripslashes if magic quotes is on when I display it. Instead now I strip the slashes BEFORE I put it into the db and "Larry's" would show as "Larry's". So am I doing this correctly now? When I display it, I don't need to strip the slashes again right?

 

If instead I just turn off magic quotes then would all I need to do is mysql_real_escape_string any data I put into a database? Is it as simple as that?

trq Prolific Member

trq

Posted
Posted
Instead now I strip the slashes BEFORE I put it into the db and "Larry's" would show as "Larry's". So am I doing this correctly now?

 

That is the correct method. If slashes are actually making it into your database, you have escaped the special chars twice which is once too many times.

 

If you can disable magic quotes do so, then just escape your data manually using mysql_real_escape_string().

webref.eu Regular Member

webref.eu

Posted
Posted

OK, now I'm confused ... my INSERT statements usually look like this: 

 

//insert merchant into database

$query = "INSERT INTO merchants (MerchantName, AffLink, MerchantShortDesc, MerchantLongDesc, CommissionRate) VALUES ('" . mysql_real_escape_string($MerchantName, $connection) . "', '" . mysql_real_escape_string($AffLink, $connection) . "', '" . mysql_real_escape_string($MerchantShortDesc, $connection) . "', '" . mysql_real_escape_string($MerchantLongDesc, $connection) . "', '" . mysql_real_escape_string($CommissionRate, $connection) . "')";

 

which means stuff like: 

 

cuthbert's

 

is shown in the MySQL database with a backslash as: 

 

cuthbert\'s

 

... which I thought was correct.  Then when I pull the data back out of the database for display in a form I use a function: 

 

<?php

//prepare data from database by stripping added backslashes and replacing special characters with HTML equivalents

function PrepareForForm($FieldValue) {

$FieldValue=htmlspecialchars(stripslashes($FieldValue), ENT_QUOTES);

return $FieldValue;

}

?>

 

... which will get rid of the backslashes again (and handle any special characters). 

 

Are you saying this is wrong? 

 

Thanks.

discomatt Member

discomatt

Posted
Posted

No, the whole purpose of using mysql_real_escape_string is so that you won't have to escape data AFTER pulling it out of the database.

 

If you're ending up with escaped values in your database, Magic Quotes is turned on. You either have to turn it off, or remove the slashes BEFORE calling mysql_real_escape_string ( damn I hate typing that function ) and inserting the data ( with stripslashes )

Prodigal Son Member

Prodigal Son

Posted
  • Author
Posted

OK, now I'm confused ... my INSERT statements usually look like this: 

 

which means stuff like: 

 

cuthbert's

 

is shown in the MySQL database with a backslash as: 

 

cuthbert\'s

 

Are you saying this is wrong? 

 

Thanks.

Lol, yea that what I did at first too. Look's like that's not correct. It also creates some problems when you display stuff, some weird stuff happens :P

 

I think I am just going to turn off magic quotes. You have to stripslashes on so many things when you have magic quotes on. So I just need to use mysql_real_escape_string when inserting to a db. Is there any other instances where I'd have to addslashes or is it pretty safe?

discomatt Member

discomatt

Posted
Posted

Slashes are mostly for injection prevention... anywhere you are passing user data to another engine that relies on quotes.

 

The only other data you really want to sanitize is anything that will be outputted to the browser ( XSS attacks )

Prodigal Son Member

Prodigal Son

Posted
  • Author
Posted

Slashes are mostly for injection prevention... anywhere you are passing user data to another engine that relies on quotes.

 

The only other data you really want to sanitize is anything that will be outputted to the browser ( XSS attacks )

Any user input that I display I usually run htmlentities on that. So is this good?

 

1. take user input

2. mysql_real_escape_string the user input to prevent sql injection

3. select user input to display on page

4. run htmlentities on it to prevent XSS

 

If I had magic quotes on I would just do stripslashes BEFORE (lol) number 2.

discomatt Member

discomatt

Posted
Posted

Looks good. I generally use a custom sanitize function that does it all in one go... and also saves you from typing mysql_real_escape_string every time >_<

 

This one will sanitize arrays of unlimited depth, and add single quotes for mysql use.

 

<?php
function sanitize ( $input, $quote = FALSE ) {

# Parse array
if ( is_array($input) ) {

	foreach ($input as $key => $var)
		$input[$key] = sanitize( $var, $quote );

# Parse string
} else {

	# Check if already escaped
	if (get_magic_quotes_gpc())
		# Remove useless escapes
		$input = stripslashes($value);

	$input =
		( $quote ? '\'' : '' ) .
		mysql_real_escape_string($input) .
		( $quote ? '\'' : '' );

}

# Return sanitized string
return $input;

}
?>

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.