BMR777 Posted January 17, 2009 Share Posted January 17, 2009 Hello, I'm writing a script and I have a function called secure to secure any incoming data that will be placed into the database: //This function performs security checks on all incoming form data function secure($data){ //MySQL Real Escape String $data = mysql_real_escape_string($data); //Strip HTML tags $data = strip_tags($data, ''); return $data; } I've also done some digging and found that there is a setting called magic quotes which can mess with data input. On my host for PHP info I have: magic_quotes_gpc On magic_quotes_runtime Off magic_quotes_sybase Off First question is, does this mean that magic quotes is on or off on the server I am using, that is will the data I am working with be affected by magic quotes? Secondly, are there any changes I need to make to my secure() function to deal with servers that have magic quotes enabled? Looking on my database the data entered such as ' is being escaped such as \' and I wanted to make sure that my secure() function is working and this is not just a result of the magic quotes. Thanks, Brandon Link to comment https://forums.phpfreaks.com/topic/141241-magic-quotes-and-mysql_real_escape_string-questions/ Share on other sites More sharing options...
DeanWhitehouse Posted January 17, 2009 Share Posted January 17, 2009 If this is to secure it before insertion into a db then remove strip tags, then it is done. If it is to secure before printing on the page then remove mysql_real_escape_string, and change strip_tags($data,"") to htmlentities($data); And yes magic quotes can affect the input by adding slashes to it (on quotation marks), but it can be disabled. Google php manual magic quotes http://uk2.php.net/manual/en/security.magicquotes.disabling.php Link to comment https://forums.phpfreaks.com/topic/141241-magic-quotes-and-mysql_real_escape_string-questions/#findComment-739279 Share on other sites More sharing options...
BMR777 Posted January 17, 2009 Author Share Posted January 17, 2009 If this is to secure it before insertion into a db then remove strip tags, then it is done. If it is to secure before printing on the page then remove mysql_real_escape_string, and change strip_tags($data,"") to htmlentities($data); And yes magic quotes can affect the input by adding slashes to it (on quotation marks), but it can be disabled. Google php manual magic quotes This sends it to a database which will then have the info pulled onto a page. From a security standpoint, is there any risk to leaving strip_tags in there? Also, looking at htmlentities it looks like it converts html to something else. For my script I do not want ANY html to show, even when the data is passed back to the page, so would strip tags be better in that case? Link to comment https://forums.phpfreaks.com/topic/141241-magic-quotes-and-mysql_real_escape_string-questions/#findComment-739282 Share on other sites More sharing options...
DeanWhitehouse Posted January 17, 2009 Share Posted January 17, 2009 There is not a secuirty issue with strip_tags but htmlentities will be quicker (i think). Htmlentities converts any tags into html special chars, e.g. a space might become &nsbp; (or something :s) Link to comment https://forums.phpfreaks.com/topic/141241-magic-quotes-and-mysql_real_escape_string-questions/#findComment-739284 Share on other sites More sharing options...
BMR777 Posted January 17, 2009 Author Share Posted January 17, 2009 There is not a secuirty issue with strip_tags but htmlentities will be quicker (i think). Htmlentities converts any tags into html special chars, e.g. a space might become &nsbp; (or something :s) Well, with htmlentities if a user inserted html into a form, what would appear on the site, the HTML or the conversion such as &nsbp would appear instead of a space? Link to comment https://forums.phpfreaks.com/topic/141241-magic-quotes-and-mysql_real_escape_string-questions/#findComment-739285 Share on other sites More sharing options...
DeanWhitehouse Posted January 17, 2009 Share Posted January 17, 2009 The conversion.. http://uk.php.net/htmlentities Link to comment https://forums.phpfreaks.com/topic/141241-magic-quotes-and-mysql_real_escape_string-questions/#findComment-739345 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.