Page 1 of 1

Extra slashes in SQL

Posted: Sun Jun 17, 2007 7:00 pm
by superdezign
I just signed up with a host that just closed up for the day. Unfortunately, that means I can't contact them about this until tomorrow.

All of my inserted SQL data has extra slashes on the apostrophes, meaning that my slashes where escaped after I inputted the data. All of my data is filtered through mysql_real_escape_string(), and tested locally, everything works fine.

My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.


However, if anyone knows of a way to change that sort of setting to "off," I'd appreciate it.

Posted: Sun Jun 17, 2007 7:09 pm
by bdlang
Well, it's not necessarily a nefarious plan of your host to add slashes to your data, but, they probably do have magic_quotes on in the PHP config. ;)

You should always check to make certain this is 'off' prior to using another method, or you wind up getting extra escaping slashes in your data, e.g.

Code: Select all

// incoming $_POST data
if ( get_magic_quotes_gpc() ) {
    $_POST= array_map('stripslashes', $_POST);
}

// now use mysql_real_escape_string() to escape the data properly!

Posted: Sun Jun 17, 2007 7:14 pm
by Benjamin
I prefer to turn them all off and do my own escaping..

Code: Select all

function stripslashes_deep($value) { return is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); }

// disable magic quotes..
if (get_magic_quotes_gpc()) {
   $_POST    = array_map('stripslashes_deep', $_POST);
   $_GET     = array_map('stripslashes_deep', $_GET);
   $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
}

Posted: Sun Jun 17, 2007 8:19 pm
by superdezign
Wow. I'm on a server that uses magic_quotes... Fun. :P

This is their only PHP5 enabled server as well. I wonder if I can get them to disable it.


Anyway, thanks both of you. Awesome. :D

Posted: Sun Jun 17, 2007 8:21 pm
by feyd
Your code still needs to support having them on, though... ;)

Posted: Sun Jun 17, 2007 10:30 pm
by superdezign
Oh crap.

What else do magic_quotes affect?

Posted: Sun Jun 17, 2007 10:35 pm
by Benjamin

Re: Extra slashes in SQL

Posted: Sun Jun 17, 2007 10:41 pm
by AKA Panama Jack
superdezign wrote:My suspiciion is that this company is purposely adding slashes to prevent SQL injection, and if it is the case, I *MUST* have it turned off. There's no way I'd put my website's security into the hands of a third-party, and calling stripslashes every time that I want to output data from my database is ridiculous.
They are probably one of those fly by night hosting companies that have REGISTER_GLOBALS enabled in the php.ini. You need to get them to turn that off as it is a security risk and is OFF by DEFAULT anyway.

You could add this the the start of every script. Or if you have a config that is always loaded add it to the beginning of the config.

Code: Select all

if (get_magic_quotes_gpc())
{
	function strip_gpc_slashes(&$array)
	{
		if (!is_array ($array))
			return;
		foreach($array as $key => $val)
			is_array( $array[$key] ) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes ($array[$key]));
	}
	$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_FILES);
	strip_gpc_slashes($gpc);
}
That will strip the slashes off if magic quotes is enabled.

Posted: Sun Jun 17, 2007 11:54 pm
by superdezign
I did decide to go with a configuration file with this project. Speeds up a lot of stuff.

Thanks for these functions. :-D


Where would I be without DevNet? :wink:


Edit: I *JUST* realized that magic_quotes_gpc affects... GPC. Lol.