Jump to content

Worried about turning magic quotes off.....

plastik77

By plastik77
in PHP Coding Help

 Share

Recommended Posts

plastik77 Member

plastik77

Posted
Posted

Hi, I've recently started looking after a VPS which has about 7 or 8 sites on it. I have development work to do on some new sites but I've noticed that magic quotes are still on in php.ini. I want to turn them off but I'm worried about the impact it may have on the existing sites, most of which have some degree of content management by end users. From what I can see, mysql_real_escape_string has been used by the previous developer to escape data for entering into a db, then stripslashes(htmlspecialchars) has been used to display data retrieved from the db. I'm looking for advice as to whether i should just persist with magic quotes on to avoid breaking any sites, or whether there could be a lot of work involved on existing sites if i turn magic quotes off?

 

Grateful for any help!

Link to comment
https://forums.phpfreaks.com/topic/126893-worried-about-turning-magic-quotes-off/
Share on other sites
KevinM1 Advanced Member

KevinM1

Posted
Posted

Hi, I've recently started looking after a VPS which has about 7 or 8 sites on it. I have development work to do on some new sites but I've noticed that magic quotes are still on in php.ini. I want to turn them off but I'm worried about the impact it may have on the existing sites, most of which have some degree of content management by end users. From what I can see, mysql_real_escape_string has been used by the previous developer to escape data for entering into a db, then stripslashes(htmlspecialchars) has been used to display data retrieved from the db. I'm looking for advice as to whether i should just persist with magic quotes on to avoid breaking any sites, or whether there could be a lot of work involved on existing sites if i turn magic quotes off?

 

Grateful for any help!

 

The use of those two functions aren't dependent on magic quotes.  Stripslashes, in particular, isn't itself necessary to display data that has been escaped using mysql_real_escape_string.  A more pressing concern would be whether or not your apps use the superglobals (i.e., $_GET, $_POST, etc) to access request data, or if the previous developer relied on magic quotes to do the heavy lifting there.

 

If you want, you could make a test script to double-check how mysql_real_escape_string works.  I did the following:

$string = "()'?--";
$string = mysql_real_escape_string($string);

$query = "INSERT INTO mytable (string) VALUE ('$string')";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

echo "Escaped string as it looks before going into the db: $string<br />";
echo "Escaped string as it looks after being retrieved from the db: {$row['string']}";

 

You should notice that the single-quote/apostrophe is escaped in the first line of output, but not in the second.

plastik77 Member

plastik77

Posted
  • Author
Posted

Hi Nightslyr, thanks for the reply. I've done some more digging and it looks like the previous developer was using the following function to check for magic quotes:

if (get_magic_quotes_gpc()) {
   $_GET    = array_map('stripslashes', $_GET);
   $_POST  = array_map('stripslashes', $_POST);
   $_COOKIE = array_map('stripslashes', $_COOKIE);
}

Then using mysql_real_escape_string to escape input data for inserting in the database. I think this should actually make it safe for me to disable magic quotes now, providing the above check has been used consistently across all of the apps.

KevinM1 Advanced Member

KevinM1

Posted
Posted

Hi Nightslyr, thanks for the reply. I've done some more digging and it looks like the previous developer was using the following function to check for magic quotes:

if (get_magic_quotes_gpc()) {
   $_GET    = array_map('stripslashes', $_GET);
   $_POST  = array_map('stripslashes', $_POST);
   $_COOKIE = array_map('stripslashes', $_COOKIE);
}

Then using mysql_real_escape_string to escape input data for inserting in the database. I think this should actually make it safe for me to disable magic quotes now, providing the above check has been used consistently across all of the apps.

 

Yup, it should be okay, provided it's used consistently.

 

Regarding output, you'll probably still want to run what's retrieved from the database through both htmlentities and stripslashes.  This has more to do with security than with whether or not things will display properly.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.