Page 1 of 1

POST (user) data and magic quotes - security

Posted: Wed Apr 30, 2008 11:24 am
by konrados
Hello,

I usually use data POST'ed by users directly in my mysql queries - I have "magic quotes" ON (isn't this default?) - every apostrophe is replaced with \' automatically. The same with $_GET. So it's safe, right? Am I thinking correctly?

I'm asking because here - viewtopic.php?f=1&t=81931 using "mysql_real_escape_string" is suggested. When I used it, a single apostrophe was replaced twice resulting in :\\\'

So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?

Re: POST (user) data and magic quotes - security

Posted: Wed Apr 30, 2008 11:27 am
by onion2k
konrados wrote:So why do I still see suggestions about using "mysql_real_escape_string" or "addslashes" on data sent via POST or GET?
Because having magic quotes switched on is a bad idea, and if they're switched off you need to use mysql_real_escape_string() to quote stuff.

Re: POST (user) data and magic quotes - security

Posted: Wed Apr 30, 2008 11:31 am
by konrados
OK, thanks, but... why is "magic quotes" a bad idea? I created lots of scripts basing on it....

Btw: I've just read http://us.php.net/magic_quotes - they say "This feature has been DEPRECATED and REMOVED" damn it... this means it is completely removed and I won't be able to turn it on?

I would have to rewrite hundreds of files.... :(

Re: POST (user) data and magic quotes - security

Posted: Wed Apr 30, 2008 1:18 pm
by konrados
I created the following functions to make my life easier,

Code: Select all

 
<?php
//adds slashes only if necessary
function WMagicAddSlashes($str){
  if(get_magic_quotes_gpc())return $str;//magic quotes done it
  return mysql_real_escape_string($str); 
};
 
//removes slashes only if necessary
function WMagicStripSlashes($str){
  if(get_magic_quotes_gpc())return stripslashes($str);//magic quotes added slashes, so they need to be removed
  return $str; 
};
?>
 
Is there something wrong with this concept? I want to use the "WMagicAddSlashes" function every time I want to use a user-submitted data to a database.

Btw: what's the difference between mysql_real_escape_string and addslashes? I can't see any according to the descriptions...

Re: POST (user) data and magic quotes - security

Posted: Fri May 02, 2008 1:43 pm
by RobertGonzalez
magic quotes escapes quote characters only. What about someone that throws a comment character to your query?

Add slashes, magic quotes, etc are not a good way to escape data hitting the database. Use the escape functions for each database layer you are using. That is what they are meant for.

Re: POST (user) data and magic quotes - security

Posted: Fri May 02, 2008 3:26 pm
by clickzilla
One function I find very useful is this (I think I've seen it on php.net in a comment)

Code: Select all

 
function filter_post_get($value) {
 
    if(get_magic_quotes_gpc()){
        $value = stripslashes( $value );
    }
    if(function_exists("mysql_real_escape_string")){
        $value = mysql_real_escape_string( $value );
    }
    else{
        $value = addslashes($value);
    }
    return $value;
 
... and the $value is ready to go in a mysql query. :) (i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")

Hope it helps!

Re: POST (user) data and magic quotes - security

Posted: Fri May 02, 2008 3:38 pm
by RobertGonzalez
If you are on a newer version of PHP/MySQL you could also look at prepared statements or stored procedures.

Re: POST (user) data and magic quotes - security

Posted: Sat May 03, 2008 2:22 am
by Mordred
clickzilla wrote:One function I find very useful is this (I think I've seen it on php.net in a comment)

Code: Select all

 
function filter_post_get($value) {
 
    if(get_magic_quotes_gpc()){
        $value = stripslashes( $value );
    }
    if(function_exists("mysql_real_escape_string")){
        $value = mysql_real_escape_string( $value );
    }
    else{
        $value = addslashes($value);
    }
    return $value;
 
... and the $value is ready to go in a mysql query. :) (i.e. $sql = "SELECT * FROM table WHERE value='".$value."'")

Hope it helps!
This function is buggy. http://www.logris.org/security/the-curs ... gic-quotes