Jump to content

How is SQL injection possible with magic quotes on?!


Recommended Posts

As above,

How is SQL injection possible with magic quotes on?

 

Thanks in advance.

 

Useful for beginners  Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL Injection is still possible with magic quotes on, the risk is reduced.

http://us3.php.net/manual/en/security.magicquotes.why.php

magic quotes do not escape all possible scenarios for SQL injection.

 

It is best practice to use that if magic_quotes are on either turn them off or stripslashes on the data then use mysql_real_escape_string on the data for database entry.

 

This will ensure anything harmful to mysql will be escaped to prevent SQL injection. That and the fact addslashes is said to be depreciated in PHP6.

 

EDIT:

A side note, this is the function I use:

 

function myEscape($string) {
     return (get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string);
}

 

Works great.

Yes, and it is actually preferred to do so.

 

http://us3.php.net/magic_quotes

 

magic_quotes is depreciated as of 5.3 as an fyi.

 

If you can use .htaccess add this to it

 

php_flag magic_quotes_gpc Off

 

And if that does not work try this method

I have discovered that my host doesn't like either of the following directives in the .htaccess file:

 

php_flag magic_quotes_gpc Off

php_value magic_quotes_gpc Off

 

However, there is another way to disable this setting even if you don't have access to the server configuration - you can put a php.ini file in the directory where your scripts are with the directive:

 

magic_quotes_gpc = Off

 

However, these does not propogate unlike  .htaccess rules, so if you launch from a sub-directory, you need the php.ini file in each directory you have as script entry points.

However, there is another way to disable this setting even if you don't have access to the server configuration - you can put a php.ini file in the directory where your scripts are with the directive:

 

magic_quotes_gpc = Off

 

The above worked a treat! Thank you so much! :D

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.