help_me_with_php Posted June 15, 2012 Share Posted June 15, 2012 all, I've recently noticed via my own coding that this function is automatically escaping problematic characters. I am using v5.2. Has then been updated now, rendering functions like my_real_escape_string() redundant? anybody have a good resource for short listings of updates made to 5.2? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 15, 2012 Share Posted June 15, 2012 What has happened is that somehow a deprecated function has been enabled again, magic_quotes_gpc(). You should disable it again in your php.ini file; it's a nightmare waiting to happen. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 15, 2012 Author Share Posted June 15, 2012 holy cow. well that's pretty stupid. why exactly do you think it's a potential nightmare? from my personal observation, it looks to be helpful in that scenario... by the way, when do new members get saved from the childish validation questions? Quote Link to comment Share on other sites More sharing options...
kicken Posted June 16, 2012 Share Posted June 16, 2012 why exactly do you think it's a potential nightmare? from my personal observation, it looks to be helpful in that scenario... In the long run, magic quotes tends to be more annoying than it is useful. For example, any data that you want to use in some other context besides an SQL query has to be un-quoted before you use it. This means cases like re-echoing data to the page, using it in an image, in a PDF, in a XML file, etc. It's far better to keep the raw data as-is and only run it through an escape function if/when it needs it. The implementation of magic quotes is also just a simple addslashes call, which does not properly handle different character sets which could still leave you vulnerable to attacks. Using mysql_real_escape_string handles the characters sets for you thus providing better protectioin. by the way, when do new members get saved from the childish validation questions? After 10 posts I believe. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 16, 2012 Author Share Posted June 16, 2012 yes, I realize that the functions are good to thwart off attacks. furthermore, my website which I'm using for testing right now, only has 2 files on the server, the php file i'm using for testing and the ini file. the ini only has one line of text in it, which I'm doubting is a directive of any kind. so i'm guessing this is a bug? php.net indicates that the magic_quotes_gpc() function was deprecated in 5.3, but I'm running 5.2. so there's a disconnect here, I'm still not understanding what's going on. this function causes mysql_query() to automatically escape strings?? or has mysql_query() always escaped certain strings by default? Quote Link to comment Share on other sites More sharing options...
xyph Posted June 16, 2012 Share Posted June 16, 2012 We don't need to spoon-feed you the behaviour of magic_quotes. It's documented and available. http://php.net/manual/en/security.magicquotes.php There are ways to check if magic_quotes is on as well get_magic_quotes_gpc phpinfo mysql_query() is doing nothing but executing the query provided in the argument. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 16, 2012 Share Posted June 16, 2012 It escapes all GET/POST/COOKIE data. If you post form data and want to echo it, with magic_quotes_gpc() on, you now have to run strip_slashes on all the incoming POST data to remove the slashes that magic_quotes adds. It truly is a useless feature in my mind, and apparently in the minds of the authors of PHP, as it's been removed completely as of php 5.4. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 16, 2012 Author Share Posted June 16, 2012 We don't need to spoon-feed you the behaviour of magic_quotes. It's documented and available. http://php.net/manual/en/security.magicquotes.php There are ways to check if magic_quotes is on as well get_magic_quotes_gpc phpinfo mysql_query() is doing nothing but executing the query provided in the argument. that's not really cool bud. I realize there are resources out there. not asking for a spoon. hell, php.net's server logs probably have 10% of the total bytes sourced from my ip address alone. but I tried placing stripslashes() everywhere I could in a simple query op on mysql but php sent the escape chars to mysql everytime. I tried stripping the sql var by itself, stripping it inside the query function and tried stripping the query function result itself (which obviously should not be right). everytime the echo showed slashes. sooo...I'm trying to figure out what gives here... Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 16, 2012 Share Posted June 16, 2012 Post the problematic code. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 16, 2012 Author Share Posted June 16, 2012 Post the problematic code. I got a solution to it. I was unaware, until php told me, that I needed to strip slashes from the actual post operation and not anytime after. but it still doesn't make much sense to me that, if you can strip the slashes successfully in a var that already has the post data in it, but the slashes still end up being passed to mysql anyway....??? hmmm...so I'm assuming there is another issue that affects the preservation of the post data from the time its used in the application to the time it's passed to mysql? a directive issue? that has to be what's happening as there's no other explanation. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 16, 2012 Share Posted June 16, 2012 Without seeing the code, I can't even begin to offer an explanation. But you really should add magic_quotes_gpc = Off to your php.ini file and handle the escaping properly instead. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 16, 2012 Author Share Posted June 16, 2012 Without seeing the code, I can't even begin to offer an explanation. But you really should add magic_quotes_gpc = Off to your php.ini file and handle the escaping properly instead. yeah I know I should. but like I said these are tests. nothing that I'm doing right now will be relevant to a php application. here is the code requested though: if ($_POST['txt']) { $where = "where fld = '" . stripslashes($_POST['txt']) . "'"; } else { $where = ""; } //$sql = "select fld from tester" . " " . stripslashes($where); $sql = "select fld from tester" . " " . $where; echo $where; $data = mysql_query($sql); while($info = mysql_fetch_array($data)) { echo $info['fld']; } so i'm inserting strings into the txt that are commonly used in sql injection attempts and echoing out the results. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 16, 2012 Share Posted June 16, 2012 So what you're saying is that the slashes are not echoing in the $where variable before the DB insert, but they are echoing in the $info['fld'] var in the while() loop? If that's the case, is magic_quotes_runtime() also on by chance? You can echo get_magic_quotes_runtime(); to find out. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 16, 2012 Author Share Posted June 16, 2012 OK, just to be clear on this here is all the code I tested. these are 3 different scenarios trying to strip slashes at different times. and the results are all different: 1) slashes DONT echo but are still passed to the db (indicated by the return I get from 'hash'): if ($_POST['txt']) { $where = "where hash = '" . $_POST['txt'] . "'"; } else { $where = ""; } $sql = "select hash from tester" . " " . stripslashes($where); echo $sql; $data = mysql_query($sql); while($info = mysql_fetch_array($data)) { echo $info['hash']; } 2) slashes DONT echo here either, but never the less are still passed to the db: if ($_POST['txt']) { $where = "where hash = '" . $_POST['txt'] . "'"; } else { $where = ""; } $sql = "select hash from tester" . " " . $where; echo stripslashes($sql); $data = mysql_query(stripslashes($sql)); while($info = mysql_fetch_array($data)) { echo $info['hash']; } 3) Here is the working copy of code...note that the stripping takes place on the actual source of the post data: if ($_POST['txt']) { $where = "where hash = '" . stripslashes($_POST['txt']) . "'"; } else { $where = ""; } $sql = "select hash from tester" . " " . $where; echo $sql; $data = mysql_query($sql); while($info = mysql_fetch_array($data)) { echo $info['hash']; } by the way echo get_magic_quotes_runtime(); returns false. it's not on, unless someone sent a memo out saying that bit indicators for true and false have since been reversed. Quote Link to comment Share on other sites More sharing options...
kicken Posted June 16, 2012 Share Posted June 16, 2012 If the data your selecting out of the database contains slashes when you echo it, then that most likely means you double-escaped the data when you did the INSERT to store the data in the first place. A likely cause of this is having magic_quotes_gpc=On and then also calling mysql_real_escape_string. Do so would cause the slashes added by magic quotes to be escaped so that when the insert runs, it actually stores those slashes rather than interpreting them as escape characters. Quote Link to comment Share on other sites More sharing options...
xyph Posted June 16, 2012 Share Posted June 16, 2012 ... have you checked if magic_quotes is enabled? In this links I've posted, they specifically say it's on by default. magic_quotes_gpc Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP. Also <?php echo 'magic quotes are '; if( get_magic_quotes_gpc() ) echo 'on - gpc'; elseif( get_magic_quotes_runtime() ) echo 'on - runtime'; elseif( ini_get('magic_quotes_sybase') == 1 ) echo 'on - sybase'; else echo 'off'; echo '<br>'; mysql_connect('localhost','root',''); mysql_select_db('db'); $_POST['txt'] = "str with \'slashes\' to be removed"; if ($_POST['txt']) { $where = "where id = '" . $_POST['txt'] . "'"; } else { $where = ""; } $sql = "select id from events" . " " . $where; echo stripslashes($sql); mysql_query(stripslashes($sql)); echo '<br>'.mysql_error(); ?> Returns magic quotes are off select id from events where id = 'str with 'slashes' to be removed' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'slashes' to be removed'' at line 1 So, best of luck finding your solution. If you have magic quotes on, turn them off. When things happen 'automatically,' they're hard to keep track. That's why the developers of PHP are discouraging it's use and phasing it out. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 16, 2012 Author Share Posted June 16, 2012 kicken, I believe all that is irrelevant. I entered 20 records by hand via the hosting company's CP that is provided. one field, one byte per field and per record, numbers 1-20. Quote Link to comment Share on other sites More sharing options...
help_me_with_php Posted June 16, 2012 Author Share Posted June 16, 2012 ... have you checked if magic_quotes is enabled? In this links I've posted, they specifically say it's on by default. magic_quotes_gpc Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP. Also <?php echo 'magic quotes are '; if( get_magic_quotes_gpc() ) echo 'on - gpc'; elseif( get_magic_quotes_runtime() ) echo 'on - runtime'; elseif( ini_get('magic_quotes_sybase') == 1 ) echo 'on - sybase'; else echo 'off'; echo '<br>'; mysql_connect('localhost','root',''); mysql_select_db('db'); $_POST['txt'] = "str with \'slashes\' to be removed"; if ($_POST['txt']) { $where = "where id = '" . $_POST['txt'] . "'"; } else { $where = ""; } $sql = "select id from events" . " " . $where; echo stripslashes($sql); mysql_query(stripslashes($sql)); echo '<br>'.mysql_error(); ?> Returns magic quotes are off select id from events where id = 'str with 'slashes' to be removed' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'slashes' to be removed'' at line 1 So, best of luck finding your solution. If you have magic quotes on, turn them off. When things happen 'automatically,' they're hard to keep track. That's why the developers of PHP are discouraging it's use and phasing it out. very good info. but bottom line I think here at this point is that I've worn out the welcome in this thread. so we'll stop the posts here. I'll use this info to figure things out. this should be enough. I can certainly see how phasing that stuff out would be easier on developers. seems to be a pain in the a$$ at the very least! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.