Page 2 of 2

Posted: Sat Aug 18, 2007 10:52 am
by superdezign
Magic quotes only apply to GPC data, and should be stripped from GPC data before you do anything in your program (if magic_quotes is on) and handled manually.

Posted: Sat Aug 18, 2007 11:19 am
by kkonline
superdezign wrote:Magic quotes only apply to GPC data, and should be stripped from GPC data before you do anything in your program (if magic_quotes is on) and handled manually.
Ok perfect. I understand it. I am working with $_POST['subject'] kind of data so is it GPC data. Now i should check if magic quotes are on and if it is then use stripslashes()

then mysql_real_escape_string() on the data and finally put to db.

Correct?

Posted: Sat Aug 18, 2007 11:35 am
by superdezign
kkonline wrote:Ok perfect. I understand it. I am working with $_POST['subject'] kind of data so is it GPC data. Now i should check if magic quotes are on and if it is then use stripslashes()

then mysql_real_escape_string() on the data and finally put to db.

Correct?
Yes, except you should handle GPC data with magic_quotes all at once. I use this in a generic config file that I include:

Code: Select all

// Strip slashes from all GPC data
if (get_magic_quotes_gpc()) {
    function strip_gpc_slashes(&$array) {
        if (!is_array($array)) {
            return;
        } foreach ($array as $key => $val) {
            is_array($array[$key]) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes($val));
        }
    }
	
    $gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST, &$_FILES);
    strip_gpc_slashes($gpc);
}

Posted: Sat Aug 18, 2007 12:05 pm
by kkonline
superdezign wrote:
kkonline wrote:Ok perfect. I understand it. I am working with $_POST['subject'] kind of data so is it GPC data. Now i should check if magic quotes are on and if it is then use stripslashes()

then mysql_real_escape_string() on the data and finally put to db.

Correct?
Yes, except you should handle GPC data with magic_quotes all at once. I use this in a generic config file that I include:

Code: Select all

// Strip slashes from all GPC data
if (get_magic_quotes_gpc()) {
    function strip_gpc_slashes(&$array) {
        if (!is_array($array)) {
            return;
        } foreach ($array as $key => $val) {
            is_array($array[$key]) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes($val));
        }
    }
	
    $gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST, &$_FILES);
    strip_gpc_slashes($gpc);
}
That means i should just include the above file.. and it will do it's task automatically without me calling the function or something ...
Correct???

Posted: Sun Aug 19, 2007 6:38 am
by kkonline
In short use mysql_real_escape_string on any form input to the db and htmlentities or/and htmlspecialchars to any output from db which is to be displayed. Correct???