Page 1 of 1

short term... magic_quotes_gpc = on [solved]

Posted: Wed Feb 08, 2006 1:09 pm
by imstupid
here's the dilemma. After reading everything out there on why magic_quotes_gpc is best turned off and manually adding the slashes yourself, I still have a general question. Let's say I have an entirely separate database, with only a few pages of php taking people's data and inserting it into a MySQL table. These pages are only going to be live to the public for 12 months or so, and once the data is extracted down the road, the table + database will most likely be deleted. So using php.net's code :

Code: Select all

<?php
		echo get_magic_quotes_gpc();           // 1
		echo $_POST['lastname'];               // O\'reilly
		echo addslashes($_POST['lastname']);    // O\\\'reilly

			if (!get_magic_quotes_gpc()) {
   				$lastname = addslashes($_POST['lastname']);
			} else {
   				$lastname = $_POST['lastname'];
			}

			echo $lastname;      // O\'reilly
			$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
	?>

is there any reason to turn them off given this is a temporary submission page... kind of a one-time-use only? The only reason I ask, is laziness. All the code is written already.

Subquestion:
after running php.net's code above, I'll then check out the table using the terminal, and the slashes are not visible. Is that normal? I would just assume that if magic_quotes_gpc are on, the slashes would also be visible when looking at the table through the command line.

thanks for the advice and suggestions in advance. hope everyone is doing well.

Posted: Wed Feb 08, 2006 1:16 pm
by feyd
Although there is a vulnerability in addslashes(), you are likey relatively okay. But using this may keep you safer:

Code: Select all

// mysql_connect();

// ...

if(get_magic_quotes_gpc()) {
  $lastname = stripslashes($_POST['lastname']);
} else {
  $lastname = $_POST['lastname'];
}
$lastname = mysql_real_escape_string($lastname);
$sql = "INSERT INTO `lastnames` (`lastname`) VALUES('{$lastname}')";
The slashes are used to escape the incoming data for insertion. Mysql removes the escapements as they are just that, escapes to allow the data entry. It is normal.

Posted: Wed Feb 08, 2006 2:17 pm
by imstupid
works like a charm. i figured to swap addslashes with mysql_real_escape_string given all the posts lately, but completely forgot about backticks. which, might I add, has got to be one of the grossest sounding names out there. "My wife would kill me if she found out I contracted Back Ticks." See?

thanks as always...