Worried about turning magic quotes off.....

[plastik77]

Hi, I've recently started looking after a VPS which has about 7 or 8 sites on it. I have development work to do on some new sites but I've noticed that magic quotes are still on in php.ini. I want to turn them off but I'm worried about the impact it may have on the existing sites, most of which have some degree of content management by end users. From what I can see, mysql_real_escape_string has been used by the previous developer to escape data for entering into a db, then stripslashes(htmlspecialchars) has been used to display data retrieved from the db. I'm looking for advice as to whether i should just persist with magic quotes on to avoid breaking any sites, or whether there could be a lot of work involved on existing sites if i turn magic quotes off?

 

Grateful for any help!

[KevinM1]

Hi, I've recently started looking after a VPS which has about 7 or 8 sites on it. I have development work to do on some new sites but I've noticed that magic quotes are still on in php.ini. I want to turn them off but I'm worried about the impact it may have on the existing sites, most of which have some degree of content management by end users. From what I can see, mysql_real_escape_string has been used by the previous developer to escape data for entering into a db, then stripslashes(htmlspecialchars) has been used to display data retrieved from the db. I'm looking for advice as to whether i should just persist with magic quotes on to avoid breaking any sites, or whether there could be a lot of work involved on existing sites if i turn magic quotes off?

 

Grateful for any help!

 

The use of those two functions aren't dependent on magic quotes.  Stripslashes, in particular, isn't itself necessary to display data that has been escaped using mysql_real_escape_string.  A more pressing concern would be whether or not your apps use the superglobals (i.e., $_GET, $_POST, etc) to access request data, or if the previous developer relied on magic quotes to do the heavy lifting there.

 

If you want, you could make a test script to double-check how mysql_real_escape_string works.  I did the following:

$string = "()'?--";
$string = mysql_real_escape_string($string);

$query = "INSERT INTO mytable (string) VALUE ('$string')";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

echo "Escaped string as it looks before going into the db: $string<br />";
echo "Escaped string as it looks after being retrieved from the db: {$row['string']}";

 

You should notice that the single-quote/apostrophe is escaped in the first line of output, but not in the second.

[plastik77]

Hi Nightslyr, thanks for the reply. I've done some more digging and it looks like the previous developer was using the following function to check for magic quotes:

if (get_magic_quotes_gpc()) {
   $_GET    = array_map('stripslashes', $_GET);
   $_POST  = array_map('stripslashes', $_POST);
   $_COOKIE = array_map('stripslashes', $_COOKIE);
}

Then using mysql_real_escape_string to escape input data for inserting in the database. I think this should actually make it safe for me to disable magic quotes now, providing the above check has been used consistently across all of the apps.

[KevinM1]

Hi Nightslyr, thanks for the reply. I've done some more digging and it looks like the previous developer was using the following function to check for magic quotes:

if (get_magic_quotes_gpc()) {
   $_GET    = array_map('stripslashes', $_GET);
   $_POST  = array_map('stripslashes', $_POST);
   $_COOKIE = array_map('stripslashes', $_COOKIE);
}

Then using mysql_real_escape_string to escape input data for inserting in the database. I think this should actually make it safe for me to disable magic quotes now, providing the above check has been used consistently across all of the apps.

 

Yup, it should be okay, provided it's used consistently.

 

Regarding output, you'll probably still want to run what's retrieved from the database through both htmlentities and stripslashes.  This has more to do with security than with whether or not things will display properly.