POST (user) data and magic quotes - security
Moderator: General Moderators
POST (user) data and magic quotes - security
Hello,
I usually use data POST'ed by users directly in my mysql queries - I have "magic quotes" ON (isn't this default?) - every apostrophe is replaced with \' automatically. The same with $_GET. So it's safe, right? Am I thinking correctly?
I'm asking because here - viewtopic.php?f=1&t=81931 using "mysql_real_escape_string" is suggested. When I used it, a single apostrophe was replaced twice resulting in :\\\'
So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
I usually use data POST'ed by users directly in my mysql queries - I have "magic quotes" ON (isn't this default?) - every apostrophe is replaced with \' automatically. The same with $_GET. So it's safe, right? Am I thinking correctly?
I'm asking because here - viewtopic.php?f=1&t=81931 using "mysql_real_escape_string" is suggested. When I used it, a single apostrophe was replaced twice resulting in :\\\'
So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
Re: POST (user) data and magic quotes - security
Because having magic quotes switched on is a bad idea, and if they're switched off you need to use mysql_real_escape_string() to quote stuff.konrados wrote:So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
Re: POST (user) data and magic quotes - security
OK, thanks, but... why is "magic quotes" a bad idea? I created lots of scripts basing on it....
Btw: I've just read http://us.php.net/magic_quotes - they say "This feature has been DEPRECATED and REMOVED" damn it... this means it is completely removed and I won't be able to turn it on?
I would have to rewrite hundreds of files....
Btw: I've just read http://us.php.net/magic_quotes - they say "This feature has been DEPRECATED and REMOVED" damn it... this means it is completely removed and I won't be able to turn it on?
I would have to rewrite hundreds of files....
Re: POST (user) data and magic quotes - security
I created the following functions to make my life easier,
Is there something wrong with this concept? I want to use the "WMagicAddSlashes" function every time I want to use a user-submitted data to a database.
Btw: what's the difference between mysql_real_escape_string and addslashes? I can't see any according to the descriptions...
Code: Select all
<?php
//adds slashes only if necessary
function WMagicAddSlashes($str){
if(get_magic_quotes_gpc())return $str;//magic quotes done it
return mysql_real_escape_string($str);
};
//removes slashes only if necessary
function WMagicStripSlashes($str){
if(get_magic_quotes_gpc())return stripslashes($str);//magic quotes added slashes, so they need to be removed
return $str;
};
?>
Btw: what's the difference between mysql_real_escape_string and addslashes? I can't see any according to the descriptions...
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: POST (user) data and magic quotes - security
magic quotes escapes quote characters only. What about someone that throws a comment character to your query?
Add slashes, magic quotes, etc are not a good way to escape data hitting the database. Use the escape functions for each database layer you are using. That is what they are meant for.
Add slashes, magic quotes, etc are not a good way to escape data hitting the database. Use the escape functions for each database layer you are using. That is what they are meant for.
-
clickzilla
- Forum Newbie
- Posts: 3
- Joined: Fri May 02, 2008 3:19 pm
Re: POST (user) data and magic quotes - security
One function I find very useful is this (I think I've seen it on php.net in a comment)
... and the $value is ready to go in a mysql query.
(i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")
Hope it helps!
Code: Select all
function filter_post_get($value) {
if(get_magic_quotes_gpc()){
$value = stripslashes( $value );
}
if(function_exists("mysql_real_escape_string")){
$value = mysql_real_escape_string( $value );
}
else{
$value = addslashes($value);
}
return $value;
Hope it helps!
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: POST (user) data and magic quotes - security
If you are on a newer version of PHP/MySQL you could also look at prepared statements or stored procedures.
Re: POST (user) data and magic quotes - security
This function is buggy. http://www.logris.org/security/the-curs ... gic-quotesclickzilla wrote:One function I find very useful is this (I think I've seen it on php.net in a comment)... and the $value is ready to go in a mysql query.Code: Select all
function filter_post_get($value) { if(get_magic_quotes_gpc()){ $value = stripslashes( $value ); } if(function_exists("mysql_real_escape_string")){ $value = mysql_real_escape_string( $value ); } else{ $value = addslashes($value); } return $value;(i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")
Hope it helps!