What are
magic_quotes?
It's a setting you can change in
php.ini to automatically escape GET, POST, and COOKIE arrays on page load and by escaping i mean
characters are turned to
and soforth.
This automatically makes querys safe to insert in database.
Alltought this setting prevented attackers to injecting extra sql code to your sql querys with method called sql injection, escaping automation and it's debendancy on server settings caused frustration among developers and this feature will be removed in php6.
To check if you have magic_quotes on, check your phpinfo and search (CTRL+F) for magic_quotes
For example if i wanted to echo the submitted results to page before inserting them to database and magic_quotes would be on, I would have to do a
stripslashes() call before displaying the data.
(which is wrong)
And if I'd later moved the same code to another server that has magic_quotes off my code would then remove any slashed i would had entered into the form as unwanted stripslashes would have occured.
Golden rule is that you should never have the need to use stipslashes when outputting data (after form submissin or when fetching data from database), never ever.
Note!
When you insert
into mysql database mysql itself will remove the \ and data inserted to database would be ".
Thats why we need to be sure that we prepare the data correctly so we don't get extra \ into database nor loose \ if someone wants to write those to his text.
Short rule how to make sure your query is safe for database.
There are too types of data to be inserted in general.
INT and VARCHAR wheere INT represents all interger types and varchar represents all textual variables.
Here is how you escape them (when using the magic_quotes code provided below).
First the query without validation.
Quote:
$credits = 5;
$firstname = "marge";
$sql = "SELECT * from persons where credits=$credits and firstname='$firstname'";
|
This query is fully functional, but will fail if credits is not a number or if I replace marge with
as ' would close the sql query too soon and therefore make a nonvalid sql query.
Here is the previous query made safe.
Quote:
$credits = 5;
$firstname = "marge";
$sql = "SELECT * from persons where credits=".intval($credits)." and firstname='".mysql_real_escape_string($firstname)."'";
|
Here is a simple but effective script of code that will take care magic_quotes for you.
Principle is that you include this page in every php page you make and then proceed with normal form validation meaning you never need to worry about checking get_magic_quotes_gpc() again.
This will not add the validation, you still need to check if the string is a string and int is an int. You just dont need to check magic_quotes, they are allways off after this code is included.
Lets call it magicquotes.php
PHP Code:
<?php
if (get_magic_quotes_gpc()) {
$in = array(&$_GET, &$_POST, &$_COOKIE);
while (list($k,$v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$in[$k][$key] = stripslashes($val);
continue;
}
$in[] =& $in[$k][$key];
}
}
unset($in);
}
?>
Hmm, this "tutorial" is getting off from the tracks.
Add to del.icio.us 
Can you digg it?
Linear Mode
