Extra slashes in SQL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Extra slashes in SQL

Post by superdezign »

I just signed up with a host that just closed up for the day. Unfortunately, that means I can't contact them about this until tomorrow.

All of my inserted SQL data has extra slashes on the apostrophes, meaning that my slashes where escaped after I inputted the data. All of my data is filtered through mysql_real_escape_string(), and tested locally, everything works fine.

My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.


However, if anyone knows of a way to change that sort of setting to "off," I'd appreciate it.
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

Well, it's not necessarily a nefarious plan of your host to add slashes to your data, but, they probably do have magic_quotes on in the PHP config. ;)

You should always check to make certain this is 'off' prior to using another method, or you wind up getting extra escaping slashes in your data, e.g.

Code: Select all

// incoming $_POST data
if ( get_magic_quotes_gpc() ) {
    $_POST= array_map('stripslashes', $_POST);
}

// now use mysql_real_escape_string() to escape the data properly!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I prefer to turn them all off and do my own escaping..

Code: Select all

function stripslashes_deep($value) { return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); }

// disable magic quotes..
if (get_magic_quotes_gpc()) {
   $_POST    = array_map('stripslashes_deep', $_POST);
   $_GET     = array_map('stripslashes_deep', $_GET);
   $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Wow. I'm on a server that uses magic_quotes... Fun. :P

This is their only PHP5 enabled server as well. I wonder if I can get them to disable it.


Anyway, thanks both of you. Awesome. :D
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Your code still needs to support having them on, though... ;)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Oh crap.

What else do magic_quotes affect?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Re: Extra slashes in SQL

Post by AKA Panama Jack »

superdezign wrote:My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.
They are probably one of those fly by night hosting companies that have REGISTER_GLOBALS enabled in the php.ini. You need to get them to turn that off as it is a security risk and is OFF by DEFAULT anyway.

You could add this the the start of every script. Or if you have a config that is always loaded add it to the beginning of the config.

Code: Select all

if (get_magic_quotes_gpc())
{
	function strip_gpc_slashes(&$array)
	{
		if (!is_array ($array))
			return;
		foreach($array as $key => $val)
			is_array( $array[$key] ) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes ($array[$key]));
	}
	$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_FILES);
	strip_gpc_slashes($gpc);
}
That will strip the slashes off if magic quotes is enabled.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

I did decide to go with a configuration file with this project. Speeds up a lot of stuff.

Thanks for these functions. :-D


Where would I be without DevNet? :wink:


Edit: I *JUST* realized that magic_quotes_gpc affects... GPC. Lol.
Post Reply