tags:

views:

38

answers:

1
Q: 

Help to understand magic_quotes_gpc()

i was learning this PHP code from a tutorial to upload files

<form method="post" enctype="multipart/form-data">
  <input name="userfile" type="file" id="userfile">  
</form>

<?php
  if (isset($_POST['upload']) && $_FILES['userfile']['size'] > 0) {
    $fileName = $_FILES['userfile']['name'];
    $tmpName  = $_FILES['userfile']['tmp_name'];
    $fileSize = $_FILES['userfile']['size'];
    $fileType = $_FILES['userfile']['type'];

    $fp      = fopen($tmpName, 'r');
    $content = fread($fp, filesize($tmpName));
    $content = addslashes($content);
    fclose($fp);

   if (!get_magic_quotes_gpc()) {
     $fileName = addslashes($fileName);
   }

   include 'library/config.php';
   include 'library/opendb.php';

   $query = "INSERT INTO upload (name, size, type, content ) ".
     "VALUES ('$fileName', '$fileSize', '$fileType', '$content')";

   mysql_query($query) or die('Error, query failed');
   include 'library/closedb.php';

now i understand every function and everything by using php documentation

EXCEPT

get_magic_quotes_gpc()
  • WHAT is it? What it does?
  • Is it eseential? If yes, Is there a replacement for this?
  • the PHP Manual said "This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.". Elaborate please?
  • Isn't there a way to upload files to (web)server harDisk and provide links to them..
+2  A: 

get_magic_quotes_gpc() is a function that checks the configuration (php.ini) and returns 0 if magic_quotes_gpc is off (otherwise it returns 1).

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NULs are escaped with a backslash automatically. This is to prevent all sorts of injection security issues.

In your case the code checks if the setting is off and adds slashes to properly escape the content to prevent SQL injection.

Like you said - this feature is deprecated and will certainly be removed in the future (in fact they removed it in PHP6).

The alternative is to escape the data at runtime as needed

DmitryK  2010-08-18 01:09:36
awesome.... couldn't have given a better explanation... man can you rewrite the PHP Manual for the world to understand
Junaid Saeed  2010-08-18 01:18:30
The only additions I'd make is to say that it tries to prevent injection security issues. It doesn't do a very good job (and hence the reason for functions like `mysql_real_escape_string`). And secondly, never use it (`magic_quotes_gpc`). If the function returns true (it's enabled), run `stripslashes` on all input. Then either bind your params via a prepared query, or use `mysql_real_escape_string/mysqli::real_escape_string`. **Do not rely upon `magic_quotes_gpc`**... There's a reason it's deprecated... (and your code posted in the question is vulnerable because of that)...
ircmaxell  2010-08-18 02:21:17

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases