Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hi everyone.
Since im using wamp server on my windows pc and i have access to php.ini default values for magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase are set to off, which i can change, can anyone tell me what should i keep in mind while processing a form on another server?
Curently im checking for magic_quotes_gpc, should i check for runtime and sybase also?
What you are trying to do with this code is replicate the behaviour of magic_quotes.
What you should be trying to do is to check if it's enabled, so you can revert the changes it has made to your GPC variables. Then, use proper escaping of everything you put into dynamic SQL queries, regardless of where it comes from.
I only check magic_quotes_gpc(), but I only run my code on servers I control, so maybe I should be checking magic_quotes_runtime() as well. I think you only need to check the *_sybase() quotes if you're running a sybase database.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.