magic quotes

[Chris.P]

I have the following slice of PHP that inserts data into the database and is later called into a page. I understand I need to use the get_magic_quotes() function to stop people from inserting javascript for example into the page when the data is called back. How do I go about this?

 

<?php
$profileID = $_POST["profileID"];
$comment = $_POST["commentBox"];
$poster = $_POST["poster"];

loginDetails();

$query = "INSERT INTO comments SET id = '$profileID', comment = '$comment', poster = '$poster' ";

$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
echo "<h4>Comment added<h4>";
?>

[Wildbug]

Well, not exactly.  The function is get_magic_quotes_gpc(), and it only returns whether or not magic quotes are on.  You should use an escaping function such as mysql_real_escape_string() when putting user-generated data into your database.  Magic quotes are usually more trouble than they're worth, and the benefit of the get_magic_quotes_gpc() function is to stripslashes() if it returns true before applying the escape function and inserting the data.

 

http://www.php.net/manual/en/security.magicquotes.php

http://www.php.net/manual/en/function.mysql-real-escape-string.php

[per1os]

<?php
function myEscape($string) {
       return get_magic_quotes_gpc()?addcslashes(stripslashes($string), "\x00\n\are\\'\"\x1a"):addcslashes($string, "\x00\n\are\\'\"\x1a");
}

$profileID = myEscape($_POST["profileID"]);
?>

 

The above code simulates mysql_real_Escape_string without having to have a DB connection.