whats the reason for using get_magic_quotes_gpc?

[MDanz]

for the below code, what does the get_magic_quotes_gpc part mean?... in simple terms

 

$photoname = $_FILES['photo']['name'];

if(!get_magic_quotes_gpc())
{
    $photoname = addslashes($photoname);
}

[PFMaBiSmAd]

A) It gets the value of the magic_quotes_gpc setting,

 

B) However, since the magic_quotes_gpc setting never had an affect on any of the $_FILES data, the code doesn't actually perform a useful function,

 

C) You do however need to escape (using mysql_real_escape_string) any external data that you put into a query.

[DavidAM]

While the documentation does not indicate it; I have run some tests and the magic_quotes_gpc setting does affect the FILES array.  And by the way, it affects the field names (the array keys of GET POST COOKIE and FILES) as well as the field values.

 

<?php
/* Quick test of file upload with magic quotes */

if (isset($_POST['submit'])) {
print('<PRE>');
print('POST: ' . print_r($_POST, true) . PHP_EOL);
print('FILES: ' . print_r($_FILES, true) . PHP_EOL);
print('</PRE><HR>');
}
?>
<FORM method="POST" action="" enctype="multipart/form-data">
Note: <INPUT type="text" name="note'txt"><BR>
File: <INPUT type="file" name="upf'ile"><BR>
<INPUT type="submit" name="submit">
</FORM>

 

POST: Array
(
    [note\'txt] => hello \'world
    [submit] => Submit Query
)

FILES: Array
(
    [upf\'ile] => Array
        (
            [name] => test\'me.sql
            [type] => text/x-sql
            [error] => 0
            [size] => 0
        )

    [upf'ile] => Array
        (
            [tmp_name] => /tmp/phpVUpDEP
        )
)

 

That last entry is interesting. It didn't affect the field name for that one component. Best bet is to not use any special characters in the field names.

 

PHP version: 5.2.6-1+lenny9

 

[PFMaBiSmAd]

My previous testing was of the actual file data only. So, yes magic_quotes does affect the ['name'] element and the field name.

 

The bug in your version, with the extra non-escaped array index name was fixed in php5.2.7

 

However, on windows, the \ added in the file name truncates the name and only produces me.sql for your example. Does work correctly with magic_quotes off.

[DavidAM]

Yeah, I usually run with it off.  But I did some testing so I would know what is and isn't affected, just in case I find myself in a position where it is on and I can't turn it off.  And, for the record, I would never recommend using an HTML field name with any special characters in it (that just seems like ); I only tested it out of curiousity.

 

From the documentation, I gather that the other magic quotes setting (magic_quotes_runtime) would affect the actual data in the file. I haven't tested it (but I guess I should). The documentation indicates it will affect data from most external sources (disk files, database, etc).

 

As to the Windows thing. I hope I never have to run a webserver on Windows. Even so, I don't understand why the filename gets mangled. I've seen posts from people having trouble on a WAMP stack with filenames. But I don't understand why it happens. The name of the user's file is just data, it has no significance in the POST data at any point. Changing it because it is not a valid filename is just wrong (IMHO). As we all learned (I hope) from magic quotes, data should be sacred. It should never be changed by any underlying transport. It is the programmer's responsibility to validate and cleanup or reject all data.