Page 1 of 1

Magic quotes

Posted: Wed Jan 21, 2009 4:02 am
by sam_sun
I have been using php 5 and use the following code for escaping input data :

function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

$cust_id = clean($_POST['cust_id']); //function call

magic_quotes_gpc/magic_quotes_runtime have been removed as of php 6.0.0. why so???what other coding techniques do u guys use??

thanks!!

Re: Magic quotes

Posted: Thu Jan 22, 2009 3:19 am
by Mordred
The function is wrong, it will damage data containing slashes when if comes from sources other than get/post/cookie
http://www.logris.org/security/the-curs ... gic-quotes

Also, you don't escape input data. You escape data before it is given to some functions, and every such function requires it's own escaping. What you posted is relevant only to mysql_query().

Re: Magic quotes

Posted: Thu Jan 22, 2009 6:47 am
by sam_sun
hmmm.....thanks!!!

Re: Magic quotes

Posted: Thu Jan 22, 2009 11:45 am
by kaisellgren
If you pass something to a database, escape it. In your case the data may be used elsewhere, too.

You are forgetting magic_quotes_runtime. This may also mess up your code.

These were (will be) removed as of PHP 6, because they cause more problems than they solve.