Women in Technology

Article:		Ten Security Checks for PHP, Part 1
Subject:		magic quotes
Date:		2003-03-24 06:13:55
From:		anonymous2
> We have had magic_quotes_gpc on for over a > year and constantly use addslashes on user > input before inserting it into an sql > database. Because the magic_quotes_gpc is going to automatically add slashes to your input and then you're manually calling addslashes(), which will prepend every slash that magic_quotes just added with a another slash. You're unnecessarily doubling up every occurence of a slash. The only safe way to use the addslashes function with magic_quotes is something like this: if (!ini_get('magic_quotes_gpc')) { entry = addslashes ($entry); }

Showing messages 1 through 2 of 2.

• magic quotes
  2003-03-24 13:27:20  clancymalcolm [View]
  
  
  This is correct, but don't forget that even if you have magic_quotes_gpc turned on you will still need to use the addslashes for data that isn't coming from the get/post/cookie data.
• magic quotes
  2003-03-26 09:51:33  melvyn [View]
  
  
  This is easily done by using the following function (you could even extend it with a second argument say "$which='gpc'"):
  ===========
  function safe_addslashes($string)
  {
  static $setting;
  
  if(empty($setting))
  {
  $setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
  }
  
  return ($setting == 'yup') ? $string : addslashes($string);
  }
  ===========
  And it's counterpart:
  ===========
  function safe_stripslashes($string)
  {
  static $setting;
  
  if(empty($setting))
  {
  $setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
  }
  
  return ($setting == 'yup') ? stripslashes($string) : $string;
  }
  ===========
  Using a simple find/sed|perl combination you can change all calls to add|stripslashes in your files relatively easy and can switch the magic_quotes_gpc option on and off at will, without this affecting security nor output.
  
  HTH