Jump to content

Recommended Posts

Ok, I am not sure where to use these but from the little I know it is to prevent attempted hackers.

 

1. Which one should I use when checking usernames/passwords, email, contact no etc ?

2. When inserting data into a table like email, contact no, usernames, passwords, additional infomation etc what function should I use ?

Link to comment
https://forums.phpfreaks.com/topic/88468-what-to-use-addstrip-slashes/
Share on other sites

You should run something like this on your scripts:

 

<?php
if (get_magic_quotes_gpc())
{
   foreach ($_POST as $key=>$val)
   {
       $_POST[$key] = stripslashes($val);
   }
}
?>

As the automatic adding of slashes to posted data is so ridiculously useless if you're going to take proper coding measures.  Once you have no slashes on any of your input, run your data through mysql_escape_string/mysql_real_escape_string before inserting it into your DB, or through htmlentities before printing it through HTML.

Well, actually, if you look at the PHP manual for magic_quotes:

This feature is DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

 

Reasons:

  • Portability  Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
  • Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
  • Inconvenience Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

 

Maybe I'm wrong because I still see so many people here using that, but I still use addslashes/stripslashes

you shouldn't be able to alter a superglobal (its bad practice even if you can)

 

you should recall it to a new variable

define("Should_I_Strip", 1);
if(Should_I_Strip != 0){
foreach($_POST as $key=> $value){
  $postdata[$key] = stripslashes($value);
}
}
else{
foreach($_POST as $key=> $value){
  $postdata[$key] = $value;
}
}
?>

 

It really don't matter if you strip when you don't need to cause it won't do anything, but isn't good practice

 

 

 

Edit:

 

As stated it is going away in php6, but for the most part ppl still have to deal with it in 4

well there is another way loool  i came across once

 

foreach($_request as $val){

$val = stripslashes($val);

}

 

 

Or something similar basically what that does is that it will check all the input data dont matter if it is a password or username if it has illegal characters or things like that then it will correct them.

 

 

I cnt remember it  off by heart loool but im sure if u google it u will get somewhere :)

you shouldn't be able to alter a superglobal (its bad practice even if you can)

...

As stated it is going away in php6, but for the most part ppl still have to deal with it in 4

Modifying the $_POST superglobal for simply removing slashes has never bothered me.

 

As for magic_quotes, it's simply useless.  If you're taking proper coding measures, you shouldn't rely on it anyways.

its the principle that a Superglobal variable is suppose to be something given to you from the server to use.

 

Its like in a chem lab when you get a sample out of a bottle you dont' stick your dirty pipettes in the communal container, you take a small bit it your own beaker to work with.

 

Just like how you shouldn't dirty the superglobals for your own needs when it might need to be undiritied later.

I don't think you know how a hacker works so do some research before you make assumptions

 

 

Addslashes is an escaping function

To prevent execution of malicious code in many cases.  So actually, he does know what he's talking about, and he's asking a simple question.

 

My experience: I have coded several websites, some for personal use, and some for corporate offices.  I have never relied on magic_quotes_gpc to do my work for me, and have always either disabled it or counteracted it.  With the proper use of htmlspecialchars and mysql_real_escape_string as needed, I have never had a problem.  The trick isn't finding the most foolproof way to protect your data, it's making sure you understand what could be done with each line of code written.  You don't need slashes if the data is purely handled by PHP and deleted.  You'll want slashes if you enter into a database to prevent the user from modifying your query.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.