magicquotes

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

magicquotes

Post by pavanpuligandla »

Hii..
can anyone tel which one is a best practise,
set magicquotes to "off" in php.ini or manually doing it during runtime?

Code: Select all

if(!get_magic_quotes_gpc())
 {
    $username = stripslashes($_POST['username']);
 }else{
    $username = $_POST['username'];
 }
whtz the difference btw stripslashes and strip_tags??
every variable tht has been passed should escape magic quotes?
when to use strip slashes and add slashes??

many thanks,
pavan.p
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: magicquotes

Post by Oren »

whtz the difference btw stripslashes and strip_tags??
c'mon... do your HW pal, at least read the manual... we won't do it for ya.
Do your HW, search the forums and the web in general, read... and then come to us with more specific questions.
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: magicquotes

Post by Hannes2k »

Hi,
if you can modify you php.ini, so you should disable magic_quotes_gpc in you php.ini and then just use
$username = $_POST['username'];.

But most times, you cannot modify the php.ini (e.g. your script should run on multiple servers) but then you should also just using "$username = $_POST['username'];".

But now, you have to place the following script in front of your code:

Code: Select all

 
if(get_magic_quotes_gpc() == 1) {
   off_gpc();
 }
 
function makeoff($v) {
   return is_array($v) ? array_map('makeoff', $v) : stripslashes($v);
 }
 
 function off_gpc() {
   foreach (array('POST', 'GET', 'REQUEST', 'COOKIE', 'SERVER') as $gpc)
   $GLOBALS["_$gpc"] = array_map('makeoff', $GLOBALS["_$gpc"]);
 } 
 

You should read more about sql injections.
Post Reply