Jump to content

Recommended Posts

Hi Guys,

 

By default magic quotes is turned off on my server, but i have given a few copies of scripts out and the guys are saying that on insertion the script is adding slashes so i assume that magic quaotes is on on their servers, my question is what would be the best thing for me to do to make it work on both types of servers?

 

thanks for any info guys

 

Graham

Link to comment
https://forums.phpfreaks.com/topic/198415-magic-quotes-question/
Share on other sites

Like so:

<?php
if (!get_magic_quotes_gpc()) {
    $lastname = mysql_real_escape_string($_POST['lastname']);
} else {
    $lastname = $_POST['lastname'];
}

$sql = mysql_query("INSERT INTO lastnames (lastname) VALUES ('$lastname')");
?>

 

Absolutely do not do this. If magic quotes are enabled, you will be feeding unsanitized (except for the magic quotes escaping) user input into your query! As in the example link provided by mjdamato, check if magic quotes is enabled and undo what it has done then regardless of the magic quote setting, escape the input when adding it into the queries.

Like so:

<?php
if (!get_magic_quotes_gpc()) {
    $lastname = mysql_real_escape_string($_POST['lastname']);
} else {
    $lastname = $_POST['lastname'];
}

$sql = mysql_query("INSERT INTO lastnames (lastname) VALUES ('$lastname')");
?>

 

Absolutely do not do this. If magic quotes are enabled, you will be feeding unsanitized (except for the magic quotes escaping) user input into your query! As in the example link provided by mjdamato, check if magic quotes is enabled and undo what it has done then regardless of the magic quote setting, escape the input when adding it into the queries.

 

That was right from php.net

That was right from php.net

 

Care to provide a link. Here is just one direct quote from php.net regarding magic quotes:

 

Why not to use Magic Quotes

 

Warning

This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

http://www.php.net/manual/en/security.magicquotes.whynot.php

http://php.net/manual/en/security.magicquotes.disabling.php

There is an example like this on http://pl.php.net/manual/en/function.get-magic-quotes-gpc.php and there's no mention about magic quotes being depreceted there.

 

Probably should be, but if you click on any of the three links in the description for that function the first thing you will see is the same messages I posted above.

 

Description

int get_magic_quotes_gpc ( void )

Returns the current configuration setting of magic_quotes_gpc

 

Keep in mind that attempting to set magic_quotes_gpc at runtime will not work.

 

For more information about magic_quotes, see this security section.

That was right from php.net

 

Except you changed from using addslashes to mysql_real_escape_string, thus spoiling the whole purpose of that if/else block. Admittedly, using a SQL query like that was a bad choice and the manual example should be updated to reflect that (along with a big, red don't use magic quotes, they're deprecated warning). Today's practice is to remove the added slashes if magic quotes are enabled and deal with escaping values for SQL queries, or output to the page, as appropriate.

<?php
if (get_magic_quotes_gpc()) 
{$_GET = array_map('stripslashes', $_GET);
  $_POST = array_map('stripslashes', $_POST);
  $_COOKIE = array_map('stripslashes', $_COOKIE);
} 
?>

 

Thats what I use =)

 

Oh and after this just run mysqli_real_escape_string on what ever thing you need.

Care to provide a link. Here is just one direct quote from php.net regarding magic quotes:

 

http://us3.php.net/get_magic_quotes_gpc

I already responded to that page. As stated, every single one of the links in the description show a warning that magic quotes should not be used.

Care to provide a link. Here is just one direct quote from php.net regarding magic quotes:

 

http://us3.php.net/get_magic_quotes_gpc

 

I've changed that example now: http://svn.php.net/viewvc?view=revision&revision=298138

 

Similarly, a deprecation note was added yesterday by salathe: http://svn.php.net/viewvc?view=revision&revision=298127

 

People will have to live with the poor example until next Friday when the mirrors sync with the manual.

I've changed that example now: http://svn.php.net/viewvc?view=revision&revision=298138

 

Similarly, a deprecation note was added yesterday by salathe: http://svn.php.net/viewvc?view=revision&revision=298127

 

People will have to live with the poor example until next Friday when the mirrors sync with the manual.

Freaks to the rescue!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.