Page 1 of 1
POST (user) data and magic quotes - security
Posted: Wed Apr 30, 2008 11:24 am
by konrados
Hello,
I usually use data POST'ed by users directly in my mysql queries - I have "magic quotes" ON (isn't this default?) - every apostrophe is replaced with \' automatically. The same with $_GET. So it's safe, right? Am I thinking correctly?
I'm asking because here -
viewtopic.php?f=1&t=81931 using "mysql_real_escape_string" is suggested. When I used it, a single apostrophe was replaced twice resulting in :\\\'
So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
Re: POST (user) data and magic quotes - security
Posted: Wed Apr 30, 2008 11:27 am
by onion2k
konrados wrote:So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
Because having magic quotes switched on is a bad idea, and if they're switched off you need to use mysql_real_escape_string() to quote stuff.
Re: POST (user) data and magic quotes - security
Posted: Wed Apr 30, 2008 11:31 am
by konrados
OK, thanks, but... why is "magic quotes" a bad idea? I created lots of scripts basing on it....
Btw: I've just read
http://us.php.net/magic_quotes - they say "This feature has been DEPRECATED and REMOVED" damn it... this means it is completely removed and I won't be able to turn it on?
I would have to rewrite hundreds of files....

Re: POST (user) data and magic quotes - security
Posted: Wed Apr 30, 2008 1:18 pm
by konrados
I created the following functions to make my life easier,
Code: Select all
<?php
//adds slashes only if necessary
function WMagicAddSlashes($str){
if(get_magic_quotes_gpc())return $str;//magic quotes done it
return mysql_real_escape_string($str);
};
//removes slashes only if necessary
function WMagicStripSlashes($str){
if(get_magic_quotes_gpc())return stripslashes($str);//magic quotes added slashes, so they need to be removed
return $str;
};
?>
Is there something wrong with this concept? I want to use the "WMagicAddSlashes" function every time I want to use a user-submitted data to a database.
Btw: what's the difference between mysql_real_escape_string and addslashes? I can't see any according to the descriptions...
Re: POST (user) data and magic quotes - security
Posted: Fri May 02, 2008 1:43 pm
by RobertGonzalez
magic quotes escapes quote characters only. What about someone that throws a comment character to your query?
Add slashes, magic quotes, etc are not a good way to escape data hitting the database. Use the escape functions for each database layer you are using. That is what they are meant for.
Re: POST (user) data and magic quotes - security
Posted: Fri May 02, 2008 3:26 pm
by clickzilla
One function I find very useful is this (I think I've seen it on php.net in a comment)
Code: Select all
function filter_post_get($value) {
if(get_magic_quotes_gpc()){
$value = stripslashes( $value );
}
if(function_exists("mysql_real_escape_string")){
$value = mysql_real_escape_string( $value );
}
else{
$value = addslashes($value);
}
return $value;
... and the $value is ready to go in a mysql query.

(i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")
Hope it helps!
Re: POST (user) data and magic quotes - security
Posted: Fri May 02, 2008 3:38 pm
by RobertGonzalez
If you are on a newer version of PHP/MySQL you could also look at prepared statements or stored procedures.
Re: POST (user) data and magic quotes - security
Posted: Sat May 03, 2008 2:22 am
by Mordred
clickzilla wrote:One function I find very useful is this (I think I've seen it on php.net in a comment)
Code: Select all
function filter_post_get($value) {
if(get_magic_quotes_gpc()){
$value = stripslashes( $value );
}
if(function_exists("mysql_real_escape_string")){
$value = mysql_real_escape_string( $value );
}
else{
$value = addslashes($value);
}
return $value;
... and the $value is ready to go in a mysql query.

(i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")
Hope it helps!
This function is buggy.
http://www.logris.org/security/the-curs ... gic-quotes