Magic quotes

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sam_sun
Forum Newbie
Posts: 3
Joined: Wed Jan 21, 2009 3:55 am

Magic quotes

Post by sam_sun »

I have been using php 5 and use the following code for escaping input data :

function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

$cust_id = clean($_POST['cust_id']); //function call

magic_quotes_gpc/magic_quotes_runtime have been removed as of php 6.0.0. why so???what other coding techniques do u guys use??

thanks!!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Magic quotes

Post by Mordred »

The function is wrong, it will damage data containing slashes when if comes from sources other than get/post/cookie
http://www.logris.org/security/the-curs ... gic-quotes

Also, you don't escape input data. You escape data before it is given to some functions, and every such function requires it's own escaping. What you posted is relevant only to mysql_query().
sam_sun
Forum Newbie
Posts: 3
Joined: Wed Jan 21, 2009 3:55 am

Re: Magic quotes

Post by sam_sun »

hmmm.....thanks!!!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Magic quotes

Post by kaisellgren »

If you pass something to a database, escape it. In your case the data may be used elsewhere, too.

You are forgetting magic_quotes_runtime. This may also mess up your code.

These were (will be) removed as of PHP 6, because they cause more problems than they solve.
Post Reply