Stripslashes as a back up?

[floridaflatlander]

I have a small site and right know for strings I use mysqli_real_escape_string. However when moving me to another server my provider left magic_qoutes on. So strings started adding slashes in code I wrote (but not in wordpress and smf for some reason(?)).

 

I've emailed them and informed then that I wanted the m_qoutes off. This is the second time this has happened in a year and a half.

 

Anyway, would it be bad form to have stripslashes() just before mysqli_real_escape_string as back up?

[Pikachu2000]

It can be done conditionally, using function_exists() and ini_get().

[floridaflatlander]

http://php.net/manual/en/function.function-exists.php says "Return TRUE if the given function has been defined" so ...

 

if (function_exists(magic_quotes_gpc)) {

stripslashes()

mysqli_real_escape_string()

} else  mysqli_real_escape_string()

 

 

would be how I would use it?

[xyph]

I don't think that's a function that exists

[Jessica]

I think all you'd need is ini_get, not function_exists, right?

[xyph]

You can use function_exists for get_magic_quotes_gpc

 

You should be able to use ini_get alone though

[Pikachu2000]

I usually check to make sure stripslashes exists. Maybe I'm just paranoid. Can also check the version number to see if the rest of it is even necessary.

 

if( PHP_VERSION < 5.4 && ini_get('magic_quotes_gpc') ) {
if( function_exists('stripslashes') ) {
	$data = stripslashes($data);
} else {
                 // figure out what to do with slashes if stripslashes is non-existent . . .
}
$data = mysqli_real_escape_string($dbc, $data);

[PFMaBiSmAd]

You can always use get_magic_quotes_gpc. Even after the magic_quotes feature is removed, the function to test the magic_quotes setting will exist -

 

Changelog

 

Version Description

5.4.0 Always returns FALSE because the magic quotes feature was removed from PHP. 

 

 

[floridaflatlander]

I don't think that's a function that exists

 

so ...

 

if (function_exists(magic_quotes_gpc = on)) {

stripslashes()

mysqli_real_escape_string()

} else  mysqli_real_escape_string()

[xyph]

Stripslashes shouldn't be deprecated, and it's built into the core of php.

 

Definitely paranoid

[Pikachu2000]

Yeah, get_magic_quotes_gpc() is what I meant. I knew something seemed off. Should have looked at one of the scripts I use it in instead of going by memory. So it should be:

 

if( PHP_VERSION < 5.4 && get_magic_quotes_gpc() ) {
if( function_exists('stripslashes') ) {
	$data = stripslashes($data);
}
}
$data = mysqli_real_escape_string($dbc, $data);

[floridaflatlander]

Thanks everyone, I'll test and come back and mark solved, hopefully.

[Pikachu2000]

Stripslashes shouldn't be deprecated, and it's built into the core of php.

 

Definitely paranoid

 

Now I remember why I explicitly check for it. If it's been disabled in the php.ini file for some stupid reason, a warning is generated if you try to use it.

[floridaflatlander]

Worked great Pikachu... and yes I remembered to turn apache on & off for testing

 

Thanks everyone

[xyph]

Stripslashes shouldn't be deprecated, and it's built into the core of php.

 

Definitely paranoid

 

Now I remember why I explicitly check for it. If it's been disabled in the php.ini file for some stupid reason, a warning is generated if you try to use it.

 

Is it just slashes-functions that can be disabled in the ini? Or any core functions? That's kind of scary - terrible band-aid to fix any slash issues a script might have I guess?

[Pikachu2000]

I've never thought to look into whether any function can be disabled, or just certain ones. That raises an interesting point, and it's another reason to avoid hosting that doesn't give you control over your own ini options.

[xyph]

I think if I ever ran into a system that disabled active, working, safe core functionality I would suggest that the owners fire their admins.

 

I can understand why they included that ability through the INI though, though black-listing is generally much more difficult than white.