According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data: if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST['lastname']); } else { $lastname = $_POST['lastname']; } I have other validation checks that I will be performing, but how secure is...
Is it worth changing my code to be "more portable" and able to deal with the horror of magic quotes, or should I just make sure that it's always off via a .htaccess file? if (get_magic_quotes_gpc()) { $var = stripslashes($_POST['var']); } else { $var = $_POST['var']; } -- vs -- php_flag magic_quotes_gpc off ...
Hi, One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection. Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form: "Hello", said Jimmy O'Toole. If you print/echo the input on the PHP page that rec...
I have the following line: $this->magicQuotes = (bool) get_magic_quotes_gpc(); I am taking the get_magic_quotes_gpc() storing it in my object as it's used many times as I generate the SQL. I am also converting it to a bool. I'm wondering if it's worth while converting it to bool. The main reason I am is for speed as the statement tha...
I want to turn off php's magic quotes. I don't have access to php.ini. When I tried to add php_flag magic_quotes_gpc off to my .htaccess file, i get a 500 internal server error. This is what my .htaccess file looks liks: AddType x-mapp-php5 .php php_flag magic_quotes_gpc off Then I tried to use ini_set('magic_quotes_gpc', 'O'), but...
I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP quotes at runtime? It'd be better if the code didn't assume magic quotes are on, so that I ca...
which one will be better to use default magic quotes or user defined addslash/stripslash in PHP? I want use the best one. please help me. ...
Hi, (Php & MySQL) I'm trying to figure out how come this function does not work correctly. It's add extra \ everytime I edit my entries. Online server have these settings: magic_quotes_gpc On magic_quotes_runtime Off magic_quotes_sybase Off function esc($s) { if (get_magic_quotes_gpc()) { if (ini_get('magic_quotes_sy...
What is the file? I have php.ini and php.ini-dist on my computer. ...
this code is supposed to ensure that clean code gets to the database it is supposed to work in earlier versions of PHP (earlier than 4.3.0) and later versions of php (older than 4.3.0) it works well because the data gets to the database without a problem but i get an error on the browser $menu_name = mysql_prep($_POST['menu_name']); ...
I've seen dozens of PHP snippets that go like this: function DB_Quote($string) { if (get_magic_quotes_gpc() == true) { $string = stripslashes($string); } return mysql_real_escape_string($string); } What happens if I call DB_Quote("the (\) character is cool");? (Thanks jspcal!) Aren't we supposed to strip slas...
By looking at the name of this directive one may think that magic_quotes are only applied to $_GET, $_POST and $_COOKIE superglobals but there is one perturbing comment on the PHP Manual: Please note, that when magic_quotes_gpc is set not only $_POST, $_GET, $_REQUEST, $_COOKIE arrays values are slashed. Actually every string...
I'm writing a app that needs to be portable. I know I should disable magic quotes on the PHP configuration but in this case I don't know if I can do that, so I'm using the following code: if (get_magic_quotes_gpc() === 1) { $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST); while (list($key, $val) = each($process)) {...
I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime? From php.ini: Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. Is is something I should check if ON and turn OFF with: set_magic_quotes_runtime(false); Is it ...
I've been assigned to one of my company's legacy webapps, and after a day or two of poking around the source, I've found an SQL injection vector similar to the following: mysql_query("SELECT * FROM foo WHERE bar='" . $_GET['baz'] . "'"); I've tried to perform an SQL injection test against this, but it fails, due to PHP's magic_quotes_...
As you know when Magic Quotes are ON, single quotes are escaped in values and also in keys. Most solutions to remove Magic Quotes at runtime only unescape values, not keys. I'm seeking a solution that will unescape keys and values... I found out on PHP.net this piece of code: $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST); wh...
Hello, I am submitting a form to my mySql database using PHP. I am sending the form data through the mysql_real_escape_string($content); function. When the entry shows up in my database (checking in myPhpAdmin) all of my double quotes and single quotes are escaped. I'm fairly certain this is a PHP configuration issue? so: $c...
Why turning magic_quotes_gpc on in PHP is considered a bad practice? ...
If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped? Will it cause problems? I assume so based on the get_magic_quotes() function but just seeking confirmation. (PS it's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to...
So basically when I type something with an apostrophe, such as John's bike it will echo John\'s bike. The code below: <?php $searchname = $_POST["name"] ; echo "$searchname"; My form uses the POST method. Is there any way to stop this? Also to make input case insensitive how would I go about in this segment? $searchsport = $_POST['s...