magic_quotes_gpc(runtime, sybase)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
miki86
Forum Newbie
Posts: 1
Joined: Fri Sep 03, 2010 11:47 am

magic_quotes_gpc(runtime, sybase)

Post by miki86 »

Hi everyone.
Since im using wamp server on my windows pc and i have access to php.ini default values for magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase are set to off, which i can change, can anyone tell me what should i keep in mind while processing a form on another server?
Curently im checking for magic_quotes_gpc, should i check for runtime and sybase also?

Code: Select all

if(($_SERVER['REQUEST_METHOD'] == 'POST') && ($action = "newuser")) {
		if(isset($_POST['register'])) {
			if(!get_magic_quotes_gpc()) {
				$_SESSION['username'] = addslashes($_POST['username']);
				$_SESSION['password'] = sha1(addslashes($_POST['password1']));
				$_SESSION['email'] = addslashes($_POST['email1']);
				$_SESSION['location'] = addslashes($_POST['location']);
				$_SESSION['sex'] = addslashes($_POST['sex']);
				$_SESSION['age'] = addslashes($_POST['age']);
			}
			else {
				$_SESSION['username'] = $_POST['username'];
				$_SESSION['password'] = sha1($_POST['password1']);
				$_SESSION['email'] = $_POST['email1'];
				$_SESSION['sex'] = $_POST['sex'];
				$_SESSION['age'] = $_POST['age'];
			}
Thanks.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: magic_quotes_gpc(runtime, sybase)

Post by Mordred »

What you are trying to do with this code is replicate the behaviour of magic_quotes.
What you should be trying to do is to check if it's enabled, so you can revert the changes it has made to your GPC variables. Then, use proper escaping of everything you put into dynamic SQL queries, regardless of where it comes from.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: magic_quotes_gpc(runtime, sybase)

Post by pickle »

I only check magic_quotes_gpc(), but I only run my code on servers I control, so maybe I should be checking magic_quotes_runtime() as well. I think you only need to check the *_sybase() quotes if you're running a sybase database.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
pkphp
Forum Newbie
Posts: 12
Joined: Mon Sep 20, 2010 1:20 am

Re: magic_quotes_gpc(runtime, sybase)

Post by pkphp »

Oooops i need this again. Thank you very much .
Post Reply