Magic Quotes and mysql_real_escape_string questions.

[BMR777]

Hello,

 

I'm writing a script and I have a function called secure to secure any incoming data that will be placed into the database:

 

//This function performs security checks on all incoming form data
function secure($data){

//MySQL Real Escape String
$data = mysql_real_escape_string($data);

//Strip HTML tags
$data = strip_tags($data, '');

return $data;

}

 

I've also done some digging and found that there is a setting called magic quotes which can mess with data input.  On my host for PHP info I have:

 

magic_quotes_gpc On

magic_quotes_runtime Off

magic_quotes_sybase Off

 

First question is, does this mean that magic quotes is on or off on the server I am using, that is will the data I am working with be affected by magic quotes?

 

Secondly, are there any changes I need to make to my secure() function to deal with servers that have magic quotes enabled?

 

Looking on my database the data entered such as ' is being escaped such as \' and I wanted to make sure that my secure() function is working and this is not just a result of the magic quotes.

 

Thanks,

Brandon

[DeanWhitehouse]

If this is to secure it before insertion into a db then remove strip tags, then it is done.

 

If it is to secure before printing on the page then remove mysql_real_escape_string, and change strip_tags($data,"") to htmlentities($data);

 

And yes magic quotes can affect the input by adding slashes to it (on quotation marks), but it can be disabled.

Google php manual magic quotes

http://uk2.php.net/manual/en/security.magicquotes.disabling.php

[BMR777]

If this is to secure it before insertion into a db then remove strip tags, then it is done.

 

If it is to secure before printing on the page then remove mysql_real_escape_string, and change strip_tags($data,"") to htmlentities($data);

 

And yes magic quotes can affect the input by adding slashes to it (on quotation marks), but it can be disabled.

Google php manual magic quotes

 

This sends it to a database which will then have the info pulled onto a page.  From a security standpoint, is there any risk to leaving strip_tags in there?  Also, looking at htmlentities it looks like it converts html to something else.  For my script I do not want ANY html to show, even when the data is passed back to the page, so would strip tags be better in that case?

[DeanWhitehouse]

There is not a secuirty issue with strip_tags but htmlentities will be quicker (i think).

 

Htmlentities converts any tags into html special chars, e.g. a space might become &nsbp; (or something :s)

 

 

[BMR777]

There is not a secuirty issue with strip_tags but htmlentities will be quicker (i think).

 

Htmlentities converts any tags into html special chars, e.g. a space might become &nsbp; (or something :s)

 

Well, with htmlentities if a user inserted html into a form, what would appear on the site, the HTML or the conversion such as &nsbp would appear instead of a space?

 

 

[DeanWhitehouse]

The conversion..

 

http://uk.php.net/htmlentities