Page 1 of 1
Extra slashes in SQL
Posted: Sun Jun 17, 2007 7:00 pm
by superdezign
I just signed up with a host that just closed up for the day. Unfortunately, that means I can't contact them about this until tomorrow.
All of my inserted SQL data has extra slashes on the apostrophes, meaning that my slashes where escaped after I inputted the data. All of my data is filtered through mysql_real_escape_string(), and tested locally, everything works fine.
My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.
However, if anyone knows of a way to change that sort of setting to "off," I'd appreciate it.
Posted: Sun Jun 17, 2007 7:09 pm
by bdlang
Well, it's not necessarily a nefarious plan of your host to add slashes to your data,
but, they probably do have
magic_quotes on in the PHP config.
You should always check to make certain this is 'off' prior to using another method, or you wind up getting extra escaping slashes in your data, e.g.
Code: Select all
// incoming $_POST data
if ( get_magic_quotes_gpc() ) {
$_POST= array_map('stripslashes', $_POST);
}
// now use mysql_real_escape_string() to escape the data properly!
Posted: Sun Jun 17, 2007 7:14 pm
by Benjamin
I prefer to turn them all off and do my own escaping..
Code: Select all
function stripslashes_deep($value) { return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); }
// disable magic quotes..
if (get_magic_quotes_gpc()) {
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
Posted: Sun Jun 17, 2007 8:19 pm
by superdezign
Wow. I'm on a server that uses magic_quotes... Fun.
This is their only PHP5 enabled server as well. I wonder if I can get them to disable it.
Anyway, thanks both of you. Awesome.

Posted: Sun Jun 17, 2007 8:21 pm
by feyd
Your code still needs to support having them on, though...

Posted: Sun Jun 17, 2007 10:30 pm
by superdezign
Oh crap.
What else do magic_quotes affect?
Posted: Sun Jun 17, 2007 10:35 pm
by Benjamin
Re: Extra slashes in SQL
Posted: Sun Jun 17, 2007 10:41 pm
by AKA Panama Jack
superdezign wrote:My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.
They are probably one of those fly by night hosting companies that have REGISTER_GLOBALS enabled in the php.ini. You need to get them to turn that off as it is a security risk and is OFF by DEFAULT anyway.
You could add this the the start of every script. Or if you have a config that is always loaded add it to the beginning of the config.
Code: Select all
if (get_magic_quotes_gpc())
{
function strip_gpc_slashes(&$array)
{
if (!is_array ($array))
return;
foreach($array as $key => $val)
is_array( $array[$key] ) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes ($array[$key]));
}
$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_FILES);
strip_gpc_slashes($gpc);
}
That will strip the slashes off if magic quotes is enabled.
Posted: Sun Jun 17, 2007 11:54 pm
by superdezign
I did decide to go with a configuration file with this project. Speeds up a lot of stuff.
Thanks for these functions.
Where would I be without DevNet?
Edit: I *JUST* realized that magic_quotes_gpc affects... GPC. Lol.