Jump to content

Magic Quotes Question

graham23s

By graham23s
in PHP Coding Help

 Share

Recommended Posts

graham23s Advanced Member

graham23s

Posted
Posted

Hi Guys,

 

By default magic quotes is turned off on my server, but i have given a few copies of scripts out and the guys are saying that on insertion the script is adding slashes so i assume that magic quaotes is on on their servers, my question is what would be the best thing for me to do to make it work on both types of servers?

 

thanks for any info guys

 

Graham

Link to comment
Share on other sites
salathe Member

salathe

Posted
Posted

Like so:

<?php
if (!get_magic_quotes_gpc()) {
    $lastname = mysql_real_escape_string($_POST['lastname']);
} else {
    $lastname = $_POST['lastname'];
}

$sql = mysql_query("INSERT INTO lastnames (lastname) VALUES ('$lastname')");
?>

 

Absolutely do not do this. If magic quotes are enabled, you will be feeding unsanitized (except for the magic quotes escaping) user input into your query! As in the example link provided by mjdamato, check if magic quotes is enabled and undo what it has done then regardless of the magic quote setting, escape the input when adding it into the queries.

Link to comment
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
Posted

Like so:

<?php
if (!get_magic_quotes_gpc()) {
    $lastname = mysql_real_escape_string($_POST['lastname']);
} else {
    $lastname = $_POST['lastname'];
}

$sql = mysql_query("INSERT INTO lastnames (lastname) VALUES ('$lastname')");
?>

 

Absolutely do not do this. If magic quotes are enabled, you will be feeding unsanitized (except for the magic quotes escaping) user input into your query! As in the example link provided by mjdamato, check if magic quotes is enabled and undo what it has done then regardless of the magic quote setting, escape the input when adding it into the queries.

 

That was right from php.net

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

That was right from php.net

 

Care to provide a link. Here is just one direct quote from php.net regarding magic quotes:

 

Why not to use Magic Quotes

 

Warning

This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

http://www.php.net/manual/en/security.magicquotes.whynot.php

http://php.net/manual/en/security.magicquotes.disabling.php

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

There is an example like this on http://pl.php.net/manual/en/function.get-magic-quotes-gpc.php and there's no mention about magic quotes being depreceted there.

 

Probably should be, but if you click on any of the three links in the description for that function the first thing you will see is the same messages I posted above.

 

Description

int get_magic_quotes_gpc ( void )

Returns the current configuration setting of magic_quotes_gpc

 

Keep in mind that attempting to set magic_quotes_gpc at runtime will not work.

 

For more information about magic_quotes, see this security section.

Link to comment
Share on other sites
salathe Member

salathe

Posted
Posted
That was right from php.net

 

Except you changed from using addslashes to mysql_real_escape_string, thus spoiling the whole purpose of that if/else block. Admittedly, using a SQL query like that was a bad choice and the manual example should be updated to reflect that (along with a big, red don't use magic quotes, they're deprecated warning). Today's practice is to remove the added slashes if magic quotes are enabled and deal with escaping values for SQL queries, or output to the page, as appropriate.

Link to comment
Share on other sites
cs.punk Advanced Member

cs.punk

Posted
Posted 

<?php
if (get_magic_quotes_gpc()) 
{$_GET = array_map('stripslashes', $_GET);
  $_POST = array_map('stripslashes', $_POST);
  $_COOKIE = array_map('stripslashes', $_COOKIE);
} 
?>

 

Thats what I use =)

 

Oh and after this just run mysqli_real_escape_string on what ever thing you need.

Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

Care to provide a link. Here is just one direct quote from php.net regarding magic quotes:

 

http://us3.php.net/get_magic_quotes_gpc

 

I've changed that example now: http://svn.php.net/viewvc?view=revision&revision=298138

 

Similarly, a deprecation note was added yesterday by salathe: http://svn.php.net/viewvc?view=revision&revision=298127

 

People will have to live with the poor example until next Friday when the mirrors sync with the manual.

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

I've changed that example now: http://svn.php.net/viewvc?view=revision&revision=298138

 

Similarly, a deprecation note was added yesterday by salathe: http://svn.php.net/viewvc?view=revision&revision=298127

 

People will have to live with the poor example until next Friday when the mirrors sync with the manual.

Freaks to the rescue!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.