short term... magic_quotes_gpc = on [solved]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
imstupid
Forum Commoner
Posts: 84
Joined: Fri Feb 18, 2005 1:24 pm

short term... magic_quotes_gpc = on [solved]

Post by imstupid »

here's the dilemma. After reading everything out there on why magic_quotes_gpc is best turned off and manually adding the slashes yourself, I still have a general question. Let's say I have an entirely separate database, with only a few pages of php taking people's data and inserting it into a MySQL table. These pages are only going to be live to the public for 12 months or so, and once the data is extracted down the road, the table + database will most likely be deleted. So using php.net's code :

Code: Select all

<?php
		echo get_magic_quotes_gpc();           // 1
		echo $_POST['lastname'];               // O\'reilly
		echo addslashes($_POST['lastname']);    // O\\\'reilly

			if (!get_magic_quotes_gpc()) {
   				$lastname = addslashes($_POST['lastname']);
			} else {
   				$lastname = $_POST['lastname'];
			}

			echo $lastname;      // O\'reilly
			$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
	?>

is there any reason to turn them off given this is a temporary submission page... kind of a one-time-use only? The only reason I ask, is laziness. All the code is written already.

Subquestion:
after running php.net's code above, I'll then check out the table using the terminal, and the slashes are not visible. Is that normal? I would just assume that if magic_quotes_gpc are on, the slashes would also be visible when looking at the table through the command line.

thanks for the advice and suggestions in advance. hope everyone is doing well.
Last edited by imstupid on Wed Feb 08, 2006 2:17 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Although there is a vulnerability in addslashes(), you are likey relatively okay. But using this may keep you safer:

Code: Select all

// mysql_connect();

// ...

if(get_magic_quotes_gpc()) {
  $lastname = stripslashes($_POST['lastname']);
} else {
  $lastname = $_POST['lastname'];
}
$lastname = mysql_real_escape_string($lastname);
$sql = "INSERT INTO `lastnames` (`lastname`) VALUES('{$lastname}')";
The slashes are used to escape the incoming data for insertion. Mysql removes the escapements as they are just that, escapes to allow the data entry. It is normal.
imstupid
Forum Commoner
Posts: 84
Joined: Fri Feb 18, 2005 1:24 pm

Post by imstupid »

works like a charm. i figured to swap addslashes with mysql_real_escape_string given all the posts lately, but completely forgot about backticks. which, might I add, has got to be one of the grossest sounding names out there. "My wife would kill me if she found out I contracted Back Ticks." See?

thanks as always...
Post Reply