If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped? Will it cause problems? I assume so based on the get_magic_quotes() function but just seeking confirmation. (PS it's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a useable envirnment)
views:
172answers:
4
+2
A:
If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied to it, so passing it through mysql_real_escape_string() will in fact, double quote.
To strip em:
if (get_magic_quotes_gpc())
{
$_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
$_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
$_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
$_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
ini_set('magic_quotes_gpc', 0);
}
This question has some other options for stripping quotes / dealing with the horrible magic_quotes_gpc PHP 'feature'.
gnarf
2010-04-22 06:04:16
ini_set('magic_quotes_gpc', 0); - funny one :)
Col. Shrapnel
2010-04-22 06:16:19
why not to use usual array_map_recursive?
Col. Shrapnel
2010-04-22 06:18:56
I know nothing about slashes... I only found out what magic_quotes were about 15 minutes ago... I'm trying to understand everything a bit more...
sjw
2010-04-22 06:26:32
@col. Shrapnel - I believe the ini_set will ensure no other libs detect/unslash that it is set. And the array_walk_recursive won't unmunge key names either (which magic quotes will mess with)
gnarf
2010-04-22 06:56:25
@hairdresser-101 - try looking up sql injections to see why php (wrongly) thought to escape all input by default.
gnarf
2010-04-22 06:59:56
Since we're using the `JSON_HEX_APOS` constant this solution is only compatible with PHP 5.3 and above, see this question (http://stackoverflow.com/questions/2077711/php-shorter-magic-quotes-solution) for more info.
Alix Axel
2010-05-19 05:44:45
+4
A:
Read the documentation of mysql_real_escape_string (I hope this is not difficult as well):
Note: If
magic_quotes_gpcis enabled, first applystripslashes()to the data. Using this function on data which has already been escaped will escape the data twice.
Felix Kling
2010-04-22 06:04:48
If i read the documentation then you wouldn't have anyone to belittle in these forums to make you feel better about yourself...
sjw
2010-04-22 06:25:42
You guys are pathetic! You all stick together and belittle anyone who isn't as educated as you are!!! Perhaps try helping people instead of scoffing at their questions and you won't have to "downvote" their comments!
sjw
2010-04-22 06:45:49
To be quite honest, you are only fanning the flames @hairdresser-101. The suggestion to read the docs on the topic is a legitmate peice of advice to give to someone. The jab about the difficulty of doing such was probably unneccesary though @Felix ;)
gnarf
2010-04-22 07:32:17
@gnarf: You are probably right. But some people spend the same amount of time (10-15 min) to give really good answers (this one is not one of them ;)) And honestly, 10 minutes to test something is not that much. I had probably needed the same amount of time. The question itself is ok (despite that it can be answered by reading the documentation), I just think the last sentence is unnecessary and considering how (s)he dealt with his last questions I could not restrain to do such a remark. Please forgive me :)
Felix Kling
2010-04-22 08:38:14
A:
If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped?
Yes, it will but you could do something like this though:
if (get_magic_quotes_gpc())
{
$escaped = stripslashes($your_vars);
}
Note: You can disable the magic quotes from PHP.ini or use the below function to override it:
// no more magic quotes
function get_magic_quotes_gpc()
{
return false;
}
Sarfraz
2010-04-22 06:09:03
@Col. Shrapnel: That will override the default function, so `get_magic_quotes_gpc()` won't do what it does.
Sarfraz
2010-04-22 07:11:00
+1
A:
Of course, the easiest way is to turn magic_quotes off.
wuth usual PHP/Apache config, this line
php_flag magic_quotes_gpc 0
in the .htaccess file will do the thing.
but for the compatibility purpose, a function can be used in some config file too.
if ( get_magic_quotes_gpc( ) ) {
$_GET = array_map_recursive('stripslashes', $_GET) ;
$_POST = array_map_recursive('stripslashes', $_POST) ;
$_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
$_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']);
if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}
one of the easiest
Col. Shrapnel
2010-04-22 06:29:15