Article:
  Ten Security Checks for PHP, Part 1
Subject:   magic quotes
Date:   2003-03-24 06:13:55
From:   anonymous2
> We have had magic_quotes_gpc on for over a
> year and constantly use addslashes on user
> input before inserting it into an sql
> database.


Because the magic_quotes_gpc is going to automatically add slashes to your input and then you're manually calling addslashes(), which will prepend every slash that magic_quotes just added with a another slash. You're unnecessarily doubling up every occurence of a slash. The only safe way to use the addslashes function with magic_quotes is something like this:


if (!ini_get('magic_quotes_gpc')) {
entry = addslashes ($entry);
}

Main Topics Oldest First

Showing messages 1 through 1 of 1.

  • magic quotes
    2003-03-24 13:27:20  clancymalcolm [View]

    This is correct, but don't forget that even if you have magic_quotes_gpc turned on you will still need to use the addslashes for data that isn't coming from the get/post/cookie data.