magic quotes

[freelance84]

This may be another really simple one...

 

I've been reading a lot about the magic quotes and that they are now deprecated. To get more control over sanitization of user input...etc I am using my own security functions.

 

I've also read that I should be turning them off.

 

I've read the section about disabling magic quotes but i'm not much wiser after reading, especially as some people on the manual page are saying contradictory things.

 

What do people recommend for the simplest and safest was to disable all magic quotes and there effects?

 

I am right in assuming that these magic quotes are a built feature to php and therefore this is why i have to turn them off?

[Mchl]

Use

var_dump(get_magic_quotes_gpc());

to see if you have magic quotes enabled.

 

To disable magic quotes, you simply need to edit your php.ini file and restart a webserver.

[freelance84]

Hi Mchl,

 

Yea i've found that magic quotes are enabled. Its the turning them off bit that got me stumped.

 

Think i'll have to wait till 2mo to speak to the technical guys at domain sever/host.

 

Thanks,

 

John

[Mchl]

If your host will not let you disable magic quotes you will need to reverse it's effect. Usually it's done like this:

 

if(get_magic_quotes_gpc()) {
  //apply stripslashes() to POST/GET/COOKIE variables.
}

 

After that you should apply proper escaping functions (like mysql_real_escape_string) to any variables that go into your database queries.

[freelance84]

Sorry i'm confused, if magic quotes are on, what will this do?

if(get_magic_quotes_gpc()) 
         {
             //apply stripslashes() to POST/GET/COOKIE variables.
         }

 

Also, with regards to using the mysql_real_escape, I have been using this so far but am now considering using/ creating my own function:

One "entering" function which replaces any "unusual characters" with specified combinations of other characters for input.

One "taking" function which replaces the said combination back with the original characters.

This would mean I could use just two "santizing" functions for everything, and it could also be used on pages where no DB connection is needed.

Do you have any thoughts on this?

[Mchl]

What would be the point of it?

[freelance84]

So all santizing functions through out my entire site would be the same. DB connection or not.

[Daniel0]

Of course not. How you would sanitize a value depends on what you're going to use it for. For instance, mysql_real_escape_string is useless for HTML and htmlentities is useless for MySQL databases, and neither are meant for sanitizing data for functions like exec.

[Mchl]

If only computing was invented by a man. We would have just one programming language, and one instruction execute() ant that would be all we need. Alas, it was Lady Ada Lovelace who invented it, and she made it all complicated, just like women do.

 

[/joke]

[cs.punk]

Dear sir it seems your missing a opening [joke] tag..