Jump to content

[SOLVED] Magic quotes disabled - now problems :(


Recommended Posts

I've turned off magic quotes using my .htaccess file now whenever I add anything to the database nothing is quoted.

 

I've tried...

if (mysql_query("INSERT INTO `guestbook` (`name`,`from`,`email`,`message`,`website`,`ip`,`added`) VALUES ('".ncode($strName)."','".ncode($strFrom)."','".ncode($strEmail)."','".ncode($txtMessage)."','".ncode($txtWebMessage)."','".getIP()."','".time()."')")) {

and this...

if (mysql_query(sprintf("INSERT INTO `guestbook` (`name`,`from`,`email`,`message`,`website`,`ip`,`added`) VALUES ('%s','%s','%s','%s','%s','%s','%d')",ncode($strName),ncode($strFrom),ncode($strEmail),ncode($txtMessage),ncode($txtWebMessage),getIP(),time()))) {

 

My "ncode()" function is this:

  function ncode($str) {
    return mysql_real_escape_string($str);
  }

 

I've tested with "it's" and no matter what I do I can't get "it\s" added into the database.

 

Even before I switched them off in the .htaccess file it was doing this.

 

Any suggestions?

I think you're missing my point - I *want* everything escaped properly which is why I've turned off the blasted magic quotes evilness and trying to use the proper function to do it - problem is - it doesn't seem to be working.

 

The only time it gets escaped is when I echo stuff straight to the browser. Use it anywhere else it doesn't work.

 

...and I can't figure out why not!

May this function will help you

 

function quote_smart($value)

{

// Stripslashes

if (get_magic_quotes_gpc())

{

$value = stripslashes($value);

}

// Quote if not a number or a numeric string

if (!is_numeric($value))

{

$value = "'" . mysql_real_escape_string($value) . "'";

}

return $value;

}

When you turned off magic_quotes_gpc, it became necessary for your code to take over the responsibility of escaping the data, i.e. using the mysql_real_escape_string() function on string data.

 

The function that pbs posted will work no matter what your magic_quotes_gpc setting is and you should use something like his function because you won't always be on a server where you will have the ability to change the magic_quotes_gpc setting.

 

I tried it with it turned on - does exactly the same - no slashes added when I add it to the database.

The escape characters \ are not inserted into the database. When the query is executed, escaped characters are parsed and are converted to their literal un-escaped character. \' becomes ' in the database.

How can I get this working then?

 

Everything I'm trying is not working.

 

If I enter It\'s it goes in as It\'s.

 

Here's the sample output:

Straight from $_POST: It's
With my ncode() function: It\'s
With addslashes(): It\'s

Just had a thought...

 

Could this be working properly then - still protecting against MySQL injection even though the database is removing the slashes?

 

magic_quotes_gpc is definitely off and I've done this in my .htaccess file with:

php_flag register_globals off
php_flag magic_quotes_gpc off

 

Read the $_POST value:

$strName=$_POST['name'];

Save in the database:

if (mysql_query(sprintf("INSERT INTO `guestbook` (`name`,`from`,`email`,`message`,`website`,`ip`,`added`) VALUES ('%s','%s','%s','%s','%s','%s','%d')",ncode($strName),ncode($strFrom),ncode($strEmail),ncode($txtMessage),ncode($txtWebMessage),getIP(),time()))) {

Contents of ncode():

  function ncode($str) {
    return mysql_real_escape_string($str);
  }

Yep that should protect you. You are escaping the strings, I see no reason why that would not work.

 

The database removes the slashes because it only "Escapes" them. This is nice cause when you pull the data out of the database to display it, you do not have to stripslahes on that data. It is sort of like when you echo something onto the screen like this:

 

echo "Hello world \"quote\"";

 

That will display Hello World "quote" because the slashes are just escaping the character to prevent an error.

Thanks!

 

It was causing me a massive headache.

 

I remember reading that PHP 6 has removed the magic quotes thing because of the amount of problems it caused.

 

The issues it caused could have been easily avoided by using stripslashes then the mysql_real_escape function if magic quotes were on. But yes, it promoted bad coding and alot of people found it hard to understand exactly what was happening. And most people thought, like you, that slashes should be in the database escaping the data, when in actuality they shouldn't.

 

But it is a good to start coding for the future =) If, however, you are making a distribution script. I would make your function like this:

 

<?php
function myEscape($string) {
     return (get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string);
}

 

That way it will not matter if it is on or not on their server, everything gets escaped properly.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.