Page 1 of 1
slightly confused about get_magic_quotes_gpc()
Posted: Fri Mar 30, 2007 4:03 am
by crazytopu
I checked php manual and here is the example:
Code: Select all
<?php
echo get_magic_quotes_gpc(); // 1
echo $_POST['lastname']; // O\'reilly
echo addslashes($_POST['lastname']); // O\\\'reilly
if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
echo $lastname; // O\'reilly
$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
?>
On my index page I used this:
http://www.compquo.com - here you can see it prints 1 on top of the scrolling titles, which indicats magic quotes is on and hence I do not need to use addslashes function correct? I didnot use addslashes() before inserting the title into the database.
But why do you still see a slash being used just before a quote in one of the titles (3rd one from top on the home page):
We are currently looking for Nuance\'s (2 CD SET) -Dragon Naturally Speaking Preferred 9 software program and headset to purchase in bulk....
Any idea?
Posted: Fri Mar 30, 2007 4:18 am
by stereofrog
For some reasons, it's better to turn magic_quotes off. If you don't have access to php.ini, add the following to the top of your script(s):
Code: Select all
function array_apply(&$a, $func) {
if(is_array($a)) {
foreach($a as $k => $v)
array_apply($a[$k], $func);
} else $a = call_user_func($func, $a);
}
if(get_magic_quotes_gpc()) {
array_apply($_GET, 'stripslashes');
array_apply($_POST, 'stripslashes');
array_apply($_SERVER, 'stripslashes');
}
This reverts an effect of magic_quotes. Remember always to use mysql_real_escape_string() when inserting user input into DB and htmlspecialchars() when echoing it back.
Posted: Fri Mar 30, 2007 4:22 am
by onion2k
Presumably that content has been added to your database after going through addslashes(), before you added this check perhaps? Magic quotes only affect incoming GET, POST and COOKIE data. Database content won't be affected by it.
Posted: Fri Mar 30, 2007 4:32 am
by crazytopu
Code: Select all
if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
Like this example shows, if it returns 1, you dont have to use addslashes() do you? So, I didn't use addshalshes before inserting the POST data into the database.
However, as stereofrog suggests, all data went through mysql_real_escape_string() before they are saved into the DB. I have used htmlspecialchars() to print out the content and the "/" is still there.
So, the only real option left is to use that little snippet in my code as provided by stereofrog?
Posted: Fri Mar 30, 2007 4:35 am
by onion2k
crazytopu wrote:However, as stereofrog suggests, all data went through mysql_real_escape_string() before they are saved into the DB. I have used htmlspecialchars() to print out the content and the "/" is still there.
mysql_real_escape_string() escapes the data just like addslashes(). They're essentially the same thing. If you're using that as well as having magic quotes switched on then you're escaping the data twice.
Posted: Fri Mar 30, 2007 4:40 am
by crazytopu
Aha!

That answers my question. Thanks a lot.
So, what is the common practice ( more secure in another word) ? use mysql_real_escape_string or use that code snippet to switch off magic quote provided that i don't have access to php.ini file?
Posted: Fri Mar 30, 2007 5:03 am
by Jenk
onion2k wrote:crazytopu wrote:However, as stereofrog suggests, all data went through mysql_real_escape_string() before they are saved into the DB. I have used htmlspecialchars() to print out the content and the "/" is still there.
mysql_real_escape_string() escapes the data just like addslashes(). They're essentially the same thing. If you're using that as well as having magic quotes switched on then you're escaping the data twice.
Just to add, it is also better to use mysql_real_escape_string() over addslashes() if you are sending statements to mysql database.
Here is a similar function to that of the usernotes on php.net/mysql_real_escape_string (or magic quotes page.)
Code: Select all
function escape_magic_quotes ($string, $link = null)
{
if (get_magic_quotes_gpc()) $string = stripslashes($string);
return mysql_real_escape_string($string, $link);
}
Posted: Fri Mar 30, 2007 5:05 am
by stereofrog
Some people consider magic_quotes to be a design flaw in php, to that php group seems to agree now. Magic_quotes will be removed in php6, so it's better to get used to code without them.
See
http://www.php.net/manual/en/security.magicquotes.php for the detailed discussion of pros and contras of magic_quotes.