Article:  |
Ten Security Checks for PHP, Part 1 | |
| Subject: | magic quotes | |
| Date: | 2003-03-24 13:27:20 | |
| From: | clancymalcolm | |
|
Response to: magic quotes
|
||
| This is correct, but don't forget that even if you have magic_quotes_gpc turned on you will still need to use the addslashes for data that isn't coming from the get/post/cookie data. | ||
Showing messages 1 through 1 of 1.
Resource Management: A Critical Look at RAII Michael Feathers
The Logs That Bind.. Michael Feathers
Outside the Design Boundary Michael Feathers
Can a program lie to you the way a story or essay can? Andy Oram
Contact Us | Advertise with Us | Privacy Policy | Press Center | Jobs
Copyright © 2000-2008 O'Reilly Media, Inc. All Rights Reserved. | (707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on the O'Reilly Network are the property of their respective owners.
For problems or assistance with this site, email
===========
function safe_addslashes($string)
{
static $setting;
if(empty($setting))
{
$setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
}
return ($setting == 'yup') ? $string : addslashes($string);
}
===========
And it's counterpart:
===========
function safe_stripslashes($string)
{
static $setting;
if(empty($setting))
{
$setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
}
return ($setting == 'yup') ? stripslashes($string) : $string;
}
===========
Using a simple find/sed|perl combination you can change all calls to add|stripslashes in your files relatively easy and can switch the magic_quotes_gpc option on and off at will, without this affecting security nor output.
HTH