Page 1 of 1

magicquotes

Posted: Sat Oct 18, 2008 1:48 pm
by pavanpuligandla
Hii..
can anyone tel which one is a best practise,
set magicquotes to "off" in php.ini or manually doing it during runtime?

Code: Select all

if(!get_magic_quotes_gpc())
 {
    $username = stripslashes($_POST['username']);
 }else{
    $username = $_POST['username'];
 }
whtz the difference btw stripslashes and strip_tags??
every variable tht has been passed should escape magic quotes?
when to use strip slashes and add slashes??

many thanks,
pavan.p

Re: magicquotes

Posted: Sat Oct 18, 2008 4:03 pm
by Oren
whtz the difference btw stripslashes and strip_tags??
c'mon... do your HW pal, at least read the manual... we won't do it for ya.
Do your HW, search the forums and the web in general, read... and then come to us with more specific questions.

Re: magicquotes

Posted: Fri Oct 24, 2008 1:05 pm
by Hannes2k
Hi,
if you can modify you php.ini, so you should disable magic_quotes_gpc in you php.ini and then just use
$username = $_POST['username'];.

But most times, you cannot modify the php.ini (e.g. your script should run on multiple servers) but then you should also just using "$username = $_POST['username'];".

But now, you have to place the following script in front of your code:

Code: Select all

 
if(get_magic_quotes_gpc() == 1) {
   off_gpc();
 }
 
function makeoff($v) {
   return is_array($v) ? array_map('makeoff', $v) : stripslashes($v);
 }
 
 function off_gpc() {
   foreach (array('POST', 'GET', 'REQUEST', 'COOKIE', 'SERVER') as $gpc)
   $GLOBALS["_$gpc"] = array_map('makeoff', $GLOBALS["_$gpc"]);
 } 
 

You should read more about sql injections.