POST (user) data and magic quotes - security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
konrados
Forum Newbie
Posts: 17
Joined: Tue Apr 29, 2008 9:32 am

POST (user) data and magic quotes - security

Post by konrados »

Hello,

I usually use data POST'ed by users directly in my mysql queries - I have "magic quotes" ON (isn't this default?) - every apostrophe is replaced with \' automatically. The same with $_GET. So it's safe, right? Am I thinking correctly?

I'm asking because here - viewtopic.php?f=1&t=81931 using "mysql_real_escape_string" is suggested. When I used it, a single apostrophe was replaced twice resulting in :\\\'

So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: POST (user) data and magic quotes - security

Post by onion2k »

konrados wrote:So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
Because having magic quotes switched on is a bad idea, and if they're switched off you need to use mysql_real_escape_string() to quote stuff.
konrados
Forum Newbie
Posts: 17
Joined: Tue Apr 29, 2008 9:32 am

Re: POST (user) data and magic quotes - security

Post by konrados »

OK, thanks, but... why is "magic quotes" a bad idea? I created lots of scripts basing on it....

Btw: I've just read http://us.php.net/magic_quotes - they say "This feature has been DEPRECATED and REMOVED" damn it... this means it is completely removed and I won't be able to turn it on?

I would have to rewrite hundreds of files.... :(
konrados
Forum Newbie
Posts: 17
Joined: Tue Apr 29, 2008 9:32 am

Re: POST (user) data and magic quotes - security

Post by konrados »

I created the following functions to make my life easier,

Code: Select all

 
<?php
//adds slashes only if necessary
function WMagicAddSlashes($str){
  if(get_magic_quotes_gpc())return $str;//magic quotes done it
  return mysql_real_escape_string($str); 
};
 
//removes slashes only if necessary
function WMagicStripSlashes($str){
  if(get_magic_quotes_gpc())return stripslashes($str);//magic quotes added slashes, so they need to be removed
  return $str; 
};
?>
 
Is there something wrong with this concept? I want to use the "WMagicAddSlashes" function every time I want to use a user-submitted data to a database.

Btw: what's the difference between mysql_real_escape_string and addslashes? I can't see any according to the descriptions...
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: POST (user) data and magic quotes - security

Post by RobertGonzalez »

magic quotes escapes quote characters only. What about someone that throws a comment character to your query?

Add slashes, magic quotes, etc are not a good way to escape data hitting the database. Use the escape functions for each database layer you are using. That is what they are meant for.
clickzilla
Forum Newbie
Posts: 3
Joined: Fri May 02, 2008 3:19 pm

Re: POST (user) data and magic quotes - security

Post by clickzilla »

One function I find very useful is this (I think I've seen it on php.net in a comment)

Code: Select all

 
function filter_post_get($value) {
 
    if(get_magic_quotes_gpc()){
        $value = stripslashes( $value );
    }
    if(function_exists("mysql_real_escape_string")){
        $value = mysql_real_escape_string( $value );
    }
    else{
        $value = addslashes($value);
    }
    return $value;
 
... and the $value is ready to go in a mysql query. :) (i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")

Hope it helps!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: POST (user) data and magic quotes - security

Post by RobertGonzalez »

If you are on a newer version of PHP/MySQL you could also look at prepared statements or stored procedures.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: POST (user) data and magic quotes - security

Post by Mordred »

clickzilla wrote:One function I find very useful is this (I think I've seen it on php.net in a comment)

Code: Select all

 
function filter_post_get($value) {
 
    if(get_magic_quotes_gpc()){
        $value = stripslashes( $value );
    }
    if(function_exists("mysql_real_escape_string")){
        $value = mysql_real_escape_string( $value );
    }
    else{
        $value = addslashes($value);
    }
    return $value;
 
... and the $value is ready to go in a mysql query. :) (i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")

Hope it helps!
This function is buggy. http://www.logris.org/security/the-curs ... gic-quotes
Post Reply