razta Posted December 19, 2008 Share Posted December 19, 2008 As above, How is SQL injection possible with magic quotes on? Thanks in advance. Useful for beginners Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL Injection is still possible with magic quotes on, the risk is reduced. http://us3.php.net/manual/en/security.magicquotes.why.php Link to comment https://forums.phpfreaks.com/topic/137698-how-is-sql-injection-possible-with-magic-quotes-on/ Share on other sites More sharing options...
premiso Posted December 19, 2008 Share Posted December 19, 2008 magic quotes do not escape all possible scenarios for SQL injection. It is best practice to use that if magic_quotes are on either turn them off or stripslashes on the data then use mysql_real_escape_string on the data for database entry. This will ensure anything harmful to mysql will be escaped to prevent SQL injection. That and the fact addslashes is said to be depreciated in PHP6. EDIT: A side note, this is the function I use: function myEscape($string) { return (get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string); } Works great. Link to comment https://forums.phpfreaks.com/topic/137698-how-is-sql-injection-possible-with-magic-quotes-on/#findComment-719735 Share on other sites More sharing options...
razta Posted December 19, 2008 Author Share Posted December 19, 2008 Can Magic Quotes be turned off from within my PHP file? I am on shared hosting and can not edit the php.ini file. Thanks again! Link to comment https://forums.phpfreaks.com/topic/137698-how-is-sql-injection-possible-with-magic-quotes-on/#findComment-719738 Share on other sites More sharing options...
premiso Posted December 19, 2008 Share Posted December 19, 2008 Yes, and it is actually preferred to do so. http://us3.php.net/magic_quotes magic_quotes is depreciated as of 5.3 as an fyi. If you can use .htaccess add this to it php_flag magic_quotes_gpc Off And if that does not work try this method I have discovered that my host doesn't like either of the following directives in the .htaccess file: php_flag magic_quotes_gpc Off php_value magic_quotes_gpc Off However, there is another way to disable this setting even if you don't have access to the server configuration - you can put a php.ini file in the directory where your scripts are with the directive: magic_quotes_gpc = Off However, these does not propogate unlike .htaccess rules, so if you launch from a sub-directory, you need the php.ini file in each directory you have as script entry points. Link to comment https://forums.phpfreaks.com/topic/137698-how-is-sql-injection-possible-with-magic-quotes-on/#findComment-719746 Share on other sites More sharing options...
razta Posted December 19, 2008 Author Share Posted December 19, 2008 However, there is another way to disable this setting even if you don't have access to the server configuration - you can put a php.ini file in the directory where your scripts are with the directive: magic_quotes_gpc = Off The above worked a treat! Thank you so much! Link to comment https://forums.phpfreaks.com/topic/137698-how-is-sql-injection-possible-with-magic-quotes-on/#findComment-719772 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.