Women in Technology

Hear us Roar



Article:
  Ten Security Checks for PHP, Part 1
Subject:   magic quotes
Date:   2003-03-24 13:27:20
From:   clancymalcolm
Response to: magic quotes

This is correct, but don't forget that even if you have magic_quotes_gpc turned on you will still need to use the addslashes for data that isn't coming from the get/post/cookie data.
Full Threads Newest First

Showing messages 1 through 1 of 1.

  • magic quotes
    2003-03-26 09:51:33  melvyn [View]

    This is easily done by using the following function (you could even extend it with a second argument say "$which='gpc'"):
    ===========
    function safe_addslashes($string)
    {
    static $setting;

    if(empty($setting))
    {
    $setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
    }

    return ($setting == 'yup') ? $string : addslashes($string);
    }
    ===========
    And it's counterpart:
    ===========
    function safe_stripslashes($string)
    {
    static $setting;

    if(empty($setting))
    {
    $setting = (get_magic_quotes_gpc()) ? 'yup' : 'nope';
    }

    return ($setting == 'yup') ? stripslashes($string) : $string;
    }
    ===========
    Using a simple find/sed|perl combination you can change all calls to add|stripslashes in your files relatively easy and can switch the magic_quotes_gpc option on and off at will, without this affecting security nor output.

    HTH