Women in Technology

Hear us Roar



Article:
  Ten Security Checks for PHP, Part 1
Subject:   magic quotes
Date:   2003-03-24 06:13:55
From:   anonymous2
> We have had magic_quotes_gpc on for over a
> year and constantly use addslashes on user
> input before inserting it into an sql
> database.


Because the magic_quotes_gpc is going to automatically add slashes to your input and then you're manually calling addslashes(), which will prepend every slash that magic_quotes just added with a another slash. You're unnecessarily doubling up every occurence of a slash. The only safe way to use the addslashes function with magic_quotes is something like this:


if (!ini_get('magic_quotes_gpc')) {
entry = addslashes ($entry);
}

Full Threads Newest First

Showing messages 1 through 2 of 2.

  • magic quotes
    2003-03-24 13:27:20  clancymalcolm [View]

    This is correct, but don't forget that even if you have magic_quotes_gpc turned on you will still need to use the addslashes for data that isn't coming from the get/post/cookie data.
    • magic quotes
      2003-03-26 09:51:33  melvyn [View]

      This is easily done by using the following function (you could even extend it with a second argument say "$which='gpc'"):
      ===========
      function safe_addslashes($string)
      {
      static $setting;

      if(empty($setting))
      {
      $setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
      }

      return ($setting == 'yup') ? $string : addslashes($string);
      }
      ===========
      And it's counterpart:
      ===========
      function safe_stripslashes($string)
      {
      static $setting;

      if(empty($setting))
      {
      $setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
      }

      return ($setting == 'yup') ? stripslashes($string) : $string;
      }
      ===========
      Using a simple find/sed|perl combination you can change all calls to add|stripslashes in your files relatively easy and can switch the magic_quotes_gpc option on and off at will, without this affecting security nor output.

      HTH