What are
magic_quotes?
It's a setting you can change in php.ini to automatically escape GET, POST, and COOKIE arrays on page load and by escaping i mean
characters are turned to
and soforth.
This automatically makes query safe to insert in database.
Although this setting prevented attackers to injecting extra SQL code to your query's with method called
sql injection, escaping automation and it's dependency on server settings caused frustration among developers and this feature will be removed in php6.
To check if you have magic_quotes on, check your phpinfo and search (CTRL+F) for magic_quotes
For example if i wanted to echo the submitted results to page before inserting them to database and magic_quotes would be on, I would have to do a
stripslashes() call before displaying the data.
(which is wrong)
And if I'd later moved the same code to another server that has magic_quotes off my code would then remove any slashed I would had entered into the form as unwanted stripslashes() function call would have occurred.
Golden rule is that you should never have the need to use stipslashes() when outputting data (after form submission or when fetching data from database), never ever.
Note!
When you insert
into mysql database mysql itself will remove the \ and data inserted to database would be ".
Thats why we need to be sure that we prepare the data correctly so we don't get extra \ into database nor loose \ if someone wants to write those to his text.
Short rule how to make sure your query is safe for database.
There are too types of data to be inserted in general.
INT and VARCHAR where INT represents all integer types and varchar represents all textual variables.
Here is how you escape them (when using the magic_quotes code provided below).
First the query without validation.
Quote:
$credits = 5;
$firstname = "marge";
$sql = "SELECT * from persons where credits=$credits and firstname='$firstname'";
|
This query is fully functional, but will fail if credits is not a number or if I replace marge with
as ' would close the sql query too soon and therefore make a nonvalid sql query.
Here is the previous query made safe.
Quote:
$credits = 5;
$firstname = "marge";
$sql = "SELECT * from persons where credits=".intval($credits)." and firstname='".mysql_real_escape_string($firstname)."'";
|
Here is a simple but effective script of code that will take care magic_quotes for you.
Principle is that you include this page in every php page you make and then proceed with normal form validation meaning you never need to worry about checking PHP settings (get_magic_quotes_gpc()) again.
This will not add the validation, you still need to check if the string is a string and int is an int. You just don't need to check magic_quotes, it's effects on variables are removed.
Lets call it magicquotes.php
PHP Code:
<?php
if (get_magic_quotes_gpc()) {
$in = array(&$_GET, &$_POST, &$_COOKIE);
while (list($k,$v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$in[$k][$key] = stripslashes($val);
continue;
}
$in[] =& $in[$k][$key];
}
}
unset($in);
}
?>
Hmm, this "tutorial" is getting off from the tracks.
Add to del.icio.us 
Can you digg it?
Linear Mode
