Extra slashes in SQL
Moderator: General Moderators
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Extra slashes in SQL
I just signed up with a host that just closed up for the day. Unfortunately, that means I can't contact them about this until tomorrow.
All of my inserted SQL data has extra slashes on the apostrophes, meaning that my slashes where escaped after I inputted the data. All of my data is filtered through mysql_real_escape_string(), and tested locally, everything works fine.
My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.
However, if anyone knows of a way to change that sort of setting to "off," I'd appreciate it.
All of my inserted SQL data has extra slashes on the apostrophes, meaning that my slashes where escaped after I inputted the data. All of my data is filtered through mysql_real_escape_string(), and tested locally, everything works fine.
My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.
However, if anyone knows of a way to change that sort of setting to "off," I'd appreciate it.
Well, it's not necessarily a nefarious plan of your host to add slashes to your data, but, they probably do have magic_quotes on in the PHP config. 
You should always check to make certain this is 'off' prior to using another method, or you wind up getting extra escaping slashes in your data, e.g.
You should always check to make certain this is 'off' prior to using another method, or you wind up getting extra escaping slashes in your data, e.g.
Code: Select all
// incoming $_POST data
if ( get_magic_quotes_gpc() ) {
$_POST= array_map('stripslashes', $_POST);
}
// now use mysql_real_escape_string() to escape the data properly!I prefer to turn them all off and do my own escaping..
Code: Select all
function stripslashes_deep($value) { return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); }
// disable magic quotes..
if (get_magic_quotes_gpc()) {
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
Re: Extra slashes in SQL
They are probably one of those fly by night hosting companies that have REGISTER_GLOBALS enabled in the php.ini. You need to get them to turn that off as it is a security risk and is OFF by DEFAULT anyway.superdezign wrote:My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.
You could add this the the start of every script. Or if you have a config that is always loaded add it to the beginning of the config.
Code: Select all
if (get_magic_quotes_gpc())
{
function strip_gpc_slashes(&$array)
{
if (!is_array ($array))
return;
foreach($array as $key => $val)
is_array( $array[$key] ) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes ($array[$key]));
}
$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_FILES);
strip_gpc_slashes($gpc);
}- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm