graham23s Posted April 13, 2010 Share Posted April 13, 2010 Hi Guys, By default magic quotes is turned off on my server, but i have given a few copies of scripts out and the guys are saying that on insertion the script is adding slashes so i assume that magic quaotes is on on their servers, my question is what would be the best thing for me to do to make it work on both types of servers? thanks for any info guys Graham Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/ Share on other sites More sharing options...
otuatail Posted April 13, 2010 Share Posted April 13, 2010 you can test to see if magic quotes are enabled and take action depending on the result. if(get_magic_quotes_gpc()) echo "Magic quotes are enabled"; else echo "Magic quotes are disabled"; Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1041160 Share on other sites More sharing options...
Psycho Posted April 13, 2010 Share Posted April 13, 2010 See Example #2 in the manual to remove slashes if magic quotes is on at runtime: http://php.net/manual/en/security.magicquotes.disabling.php Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1041167 Share on other sites More sharing options...
The Little Guy Posted April 13, 2010 Share Posted April 13, 2010 Like so: <?php if (!get_magic_quotes_gpc()) { $lastname = mysql_real_escape_string($_POST['lastname']); } else { $lastname = $_POST['lastname']; } $sql = mysql_query("INSERT INTO lastnames (lastname) VALUES ('$lastname')"); ?> Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1041168 Share on other sites More sharing options...
graham23s Posted April 17, 2010 Author Share Posted April 17, 2010 Sorry for the late reply guys thanks a lot it put me in the right direction cheers Graham Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043725 Share on other sites More sharing options...
salathe Posted April 17, 2010 Share Posted April 17, 2010 Like so: <?php if (!get_magic_quotes_gpc()) { $lastname = mysql_real_escape_string($_POST['lastname']); } else { $lastname = $_POST['lastname']; } $sql = mysql_query("INSERT INTO lastnames (lastname) VALUES ('$lastname')"); ?> Absolutely do not do this. If magic quotes are enabled, you will be feeding unsanitized (except for the magic quotes escaping) user input into your query! As in the example link provided by mjdamato, check if magic quotes is enabled and undo what it has done then regardless of the magic quote setting, escape the input when adding it into the queries. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043734 Share on other sites More sharing options...
The Little Guy Posted April 17, 2010 Share Posted April 17, 2010 Like so: <?php if (!get_magic_quotes_gpc()) { $lastname = mysql_real_escape_string($_POST['lastname']); } else { $lastname = $_POST['lastname']; } $sql = mysql_query("INSERT INTO lastnames (lastname) VALUES ('$lastname')"); ?> Absolutely do not do this. If magic quotes are enabled, you will be feeding unsanitized (except for the magic quotes escaping) user input into your query! As in the example link provided by mjdamato, check if magic quotes is enabled and undo what it has done then regardless of the magic quote setting, escape the input when adding it into the queries. That was right from php.net Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043816 Share on other sites More sharing options...
PFMaBiSmAd Posted April 17, 2010 Share Posted April 17, 2010 That was right from php.net You mean from the same folks that thought that what magic_quotes did was a good idea? Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043823 Share on other sites More sharing options...
Psycho Posted April 17, 2010 Share Posted April 17, 2010 That was right from php.net Care to provide a link. Here is just one direct quote from php.net regarding magic quotes: Why not to use Magic Quotes Warning This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged. http://www.php.net/manual/en/security.magicquotes.whynot.php http://php.net/manual/en/security.magicquotes.disabling.php Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043838 Share on other sites More sharing options...
Mchl Posted April 17, 2010 Share Posted April 17, 2010 There is an example like this on http://pl.php.net/manual/en/function.get-magic-quotes-gpc.php and there's no mention about magic quotes being depreceted there. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043844 Share on other sites More sharing options...
Psycho Posted April 17, 2010 Share Posted April 17, 2010 There is an example like this on http://pl.php.net/manual/en/function.get-magic-quotes-gpc.php and there's no mention about magic quotes being depreceted there. Probably should be, but if you click on any of the three links in the description for that function the first thing you will see is the same messages I posted above. Description int get_magic_quotes_gpc ( void ) Returns the current configuration setting of magic_quotes_gpc Keep in mind that attempting to set magic_quotes_gpc at runtime will not work. For more information about magic_quotes, see this security section. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043850 Share on other sites More sharing options...
salathe Posted April 17, 2010 Share Posted April 17, 2010 That was right from php.net Except you changed from using addslashes to mysql_real_escape_string, thus spoiling the whole purpose of that if/else block. Admittedly, using a SQL query like that was a bad choice and the manual example should be updated to reflect that (along with a big, red don't use magic quotes, they're deprecated warning). Today's practice is to remove the added slashes if magic quotes are enabled and deal with escaping values for SQL queries, or output to the page, as appropriate. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043879 Share on other sites More sharing options...
cs.punk Posted April 17, 2010 Share Posted April 17, 2010 <?php if (get_magic_quotes_gpc()) {$_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); } ?> Thats what I use =) Oh and after this just run mysqli_real_escape_string on what ever thing you need. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043892 Share on other sites More sharing options...
Psycho Posted April 17, 2010 Share Posted April 17, 2010 Thats what I use =) The only problem with that is if one of the array values is itself an array. The first link I provided has an example of how to handle multidimensional arrays. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043946 Share on other sites More sharing options...
oni-kun Posted April 17, 2010 Share Posted April 17, 2010 Heh, Maybe there should be a sticky on how to handle slashes from Magic Quotes, They're almost as bad as headers sent errors. A lot of people tend to not understand their modus operati. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1043947 Share on other sites More sharing options...
The Little Guy Posted April 18, 2010 Share Posted April 18, 2010 Care to provide a link. Here is just one direct quote from php.net regarding magic quotes: http://us3.php.net/get_magic_quotes_gpc Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1044030 Share on other sites More sharing options...
Psycho Posted April 18, 2010 Share Posted April 18, 2010 Care to provide a link. Here is just one direct quote from php.net regarding magic quotes: http://us3.php.net/get_magic_quotes_gpc I already responded to that page. As stated, every single one of the links in the description show a warning that magic quotes should not be used. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1044034 Share on other sites More sharing options...
Daniel0 Posted April 18, 2010 Share Posted April 18, 2010 Care to provide a link. Here is just one direct quote from php.net regarding magic quotes: http://us3.php.net/get_magic_quotes_gpc I've changed that example now: http://svn.php.net/viewvc?view=revision&revision=298138 Similarly, a deprecation note was added yesterday by salathe: http://svn.php.net/viewvc?view=revision&revision=298127 People will have to live with the poor example until next Friday when the mirrors sync with the manual. Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1044045 Share on other sites More sharing options...
Mchl Posted April 18, 2010 Share Posted April 18, 2010 I've changed that example now: http://svn.php.net/viewvc?view=revision&revision=298138 Similarly, a deprecation note was added yesterday by salathe: http://svn.php.net/viewvc?view=revision&revision=298127 People will have to live with the poor example until next Friday when the mirrors sync with the manual. Freaks to the rescue! Quote Link to comment https://forums.phpfreaks.com/topic/198415-magic-quotes-question/#findComment-1044069 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.