cs.punk Posted April 16, 2009 Share Posted April 16, 2009 >:(Grr when I started out with PHP I got myself a copy of XAMPP... Then as I started learning PHP I was told about "magic_quotes"... So I never liked the idea, so to see if it was on, inserted some dataq from a $_POST varible into my MYsql database, AND it was not escaped... Now I figured out that magic_quotes is indeed on... And only when you echo/print out your $_POST varible will it be escaped... WHY? Was it not the main for for magic_quotes in the first place? Take the following code for example : <?php if (isset($_SESSION['user'])) {echo "<p align=\"center\" class=\"paragraph\">You are already logged in. Do you maybe want to log out? If so <a href=\"logout.php\">click here.</a>"; } else {if (isset ($_POST['username']) && ($_POST['password']) && ($_POST['email']) ) {$con = mysqli_connect ("$dbhost","$dbuser","$dbpass","$dbname") //Establish MySQL connection or die ("Couldn't connect to server"); $username = mysqli_real_escape_string($con, strip_tags(trim($_POST['username']))); $username = strtolower($username); //change username to lowercase $password = mysqli_real_escape_string($con, strip_tags(trim($_POST['password']))); $password = md5($password); //encrypt password with md5 hasing $email = mysqli_real_escape_string($con, strip_tags(trim($_POST['email']))); $sql = "INSERT INTO users (username, password, email, rank) VALUES ('$username', '$password', '$email', '4')"; $e_sql = mysqli_query($con,$sql) or die ("Could not execute \"INSERT INTO users (...)\" query." . mysql_error()); echo "Congratulations you have sucsessfully registered $username you can now login!"; } else {echo "<form id=\"form1\" name=\"form1\" method=\"post\" action=\"register.php\"> <p class=\"smallheading\"> Username: <input type=\"text\" name=\"username\" maxlength=\"16\"/> *A maxium of 16 characters <br /> Password: <input type=\"password\" name=\"password\" maxlength=\"16\"/> *A maxium of 16 characters <br /> Email: <input type=\"text\" name=\"email\" maxlength=\"64\"/> *A maxium of 64 characters <br/> Please note, that messages sent from the 'reply to ad' form will be sent to this email! You can change it later on though. <br /> <br /> <input name=\"button\" type=\"submit\" value=\"Submit\"/> </form>"; } } ?> With magic quotes ON: If i insert a (" or ' ) into the username form, it echos out (///" ///').. But in the database theres only one /.... With magic_qoutes off: If i insert a (" or ' ) into the username form, it echos out (/" /').. But in the database theres only no escaping done at all... It feels like I have missed a whole chapter of something? Anyone care to help/explain?... Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/ Share on other sites More sharing options...
Mchl Posted April 16, 2009 Share Posted April 16, 2009 You won't see the slashes in database when escaping is done properly. MySQL sees them when it processes query, so special characters do not break the query, but they are removed from the actual data that is inserted into database. Do not use magic_quotes. Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/#findComment-811397 Share on other sites More sharing options...
jackpf Posted April 16, 2009 Share Posted April 16, 2009 You know, you can turn off magic quotes in htaccess. Only with apache though obv. Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/#findComment-811416 Share on other sites More sharing options...
cs.punk Posted April 19, 2009 Author Share Posted April 19, 2009 Thanks hey! LoL and yes i know! but if your site is hosted by a third party you cant... I think.. Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/#findComment-813613 Share on other sites More sharing options...
.josh Posted April 19, 2009 Share Posted April 19, 2009 you could use get_magic_quotes_gpc to find out whether it's being used or not, and write your code accordingly... Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/#findComment-813620 Share on other sites More sharing options...
Rithiur Posted April 19, 2009 Share Posted April 19, 2009 Thanks hey! LoL and yes i know! but if your site is hosted by a third party you cant... I think.. If the .htaccess files are enabled on the host, you can disable the magic quotes using the .htaccess file by inserting the following line into the file php_value magic_quotes_gpc 0 If you're interested, I've written somewhat comprehensive article about the escaping issue at my blog: http://serversided.blogspot.com/2009/04/user-input-and-mysql-queries.html Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/#findComment-813649 Share on other sites More sharing options...
jackpf Posted April 19, 2009 Share Posted April 19, 2009 Yeah, that's what I use. Beautiful. Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/#findComment-813697 Share on other sites More sharing options...
thebadbad Posted April 19, 2009 Share Posted April 19, 2009 Not that I'm sure it matters much, but the manual specifically says that php_flag should be used instead of php_value when setting boolean values. So: php_flag magic_quotes_gpc off Quote Link to comment https://forums.phpfreaks.com/topic/154338-magic-quotes-doing-my-head-in/#findComment-813709 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.