slightly confused about get_magic_quotes_gpc()

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

slightly confused about get_magic_quotes_gpc()

Post by crazytopu »

I checked php manual and here is the example:

Code: Select all

<?php
echo get_magic_quotes_gpc();         // 1
echo $_POST['lastname'];             // O\'reilly
echo addslashes($_POST['lastname']); // O\\\'reilly

if (!get_magic_quotes_gpc()) {
    $lastname = addslashes($_POST['lastname']);
} else {
    $lastname = $_POST['lastname'];
}

echo $lastname; // O\'reilly
$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
?>
On my index page I used this:

Code: Select all

echo get_magic_quotes_gpc();
http://www.compquo.com - here you can see it prints 1 on top of the scrolling titles, which indicats magic quotes is on and hence I do not need to use addslashes function correct? I didnot use addslashes() before inserting the title into the database.

But why do you still see a slash being used just before a quote in one of the titles (3rd one from top on the home page):

We are currently looking for Nuance\'s (2 CD SET) -Dragon Naturally Speaking Preferred 9 software program and headset to purchase in bulk....
Any idea?
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

For some reasons, it's better to turn magic_quotes off. If you don't have access to php.ini, add the following to the top of your script(s):

Code: Select all

function array_apply(&$a, $func) {
	if(is_array($a)) {
		foreach($a as $k => $v)
			array_apply($a[$k], $func);
	} else $a = call_user_func($func, $a);
}

if(get_magic_quotes_gpc()) {
	array_apply($_GET, 'stripslashes');
	array_apply($_POST, 'stripslashes');
	array_apply($_SERVER, 'stripslashes');
}
This reverts an effect of magic_quotes. Remember always to use mysql_real_escape_string() when inserting user input into DB and htmlspecialchars() when echoing it back.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Presumably that content has been added to your database after going through addslashes(), before you added this check perhaps? Magic quotes only affect incoming GET, POST and COOKIE data. Database content won't be affected by it.
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

Code: Select all

if (!get_magic_quotes_gpc()) { 
    $lastname = addslashes($_POST['lastname']); 
} else { 
    $lastname = $_POST['lastname']; 
}
Like this example shows, if it returns 1, you dont have to use addslashes() do you? So, I didn't use addshalshes before inserting the POST data into the database.

However, as stereofrog suggests, all data went through mysql_real_escape_string() before they are saved into the DB. I have used htmlspecialchars() to print out the content and the "/" is still there.

So, the only real option left is to use that little snippet in my code as provided by stereofrog?
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

crazytopu wrote:However, as stereofrog suggests, all data went through mysql_real_escape_string() before they are saved into the DB. I have used htmlspecialchars() to print out the content and the "/" is still there.
mysql_real_escape_string() escapes the data just like addslashes(). They're essentially the same thing. If you're using that as well as having magic quotes switched on then you're escaping the data twice.
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

Aha! :D That answers my question. Thanks a lot.

So, what is the common practice ( more secure in another word) ? use mysql_real_escape_string or use that code snippet to switch off magic quote provided that i don't have access to php.ini file?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

onion2k wrote:
crazytopu wrote:However, as stereofrog suggests, all data went through mysql_real_escape_string() before they are saved into the DB. I have used htmlspecialchars() to print out the content and the "/" is still there.
mysql_real_escape_string() escapes the data just like addslashes(). They're essentially the same thing. If you're using that as well as having magic quotes switched on then you're escaping the data twice.
Just to add, it is also better to use mysql_real_escape_string() over addslashes() if you are sending statements to mysql database.

Here is a similar function to that of the usernotes on php.net/mysql_real_escape_string (or magic quotes page.)

Code: Select all

function escape_magic_quotes ($string, $link = null)
{
    if (get_magic_quotes_gpc()) $string = stripslashes($string);

    return mysql_real_escape_string($string, $link);
}
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

Some people consider magic_quotes to be a design flaw in php, to that php group seems to agree now. Magic_quotes will be removed in php6, so it's better to get used to code without them.

See http://www.php.net/manual/en/security.magicquotes.php for the detailed discussion of pros and contras of magic_quotes.
Post Reply