• Advertisement
Sign in to follow this  

[web] PHP still adding slashes to quotes with magic quotes off?

This topic is 4846 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I got myself a very strange problem. My PHP scripts still add the slashes to the quotes for some strange reason. I used set_magic_quotes_runtime(0) somewhere, and when I check, it'ss till set to 0. However, the configuration of PHP has magic_quotes_gpc enabled. I work around for this, as I can't change the configuration of my host. Toolmaker

Share this post


Link to post
Share on other sites
Advertisement
Magic quotes in all their forms are evil. They are a cure worse than the disease.

Magic quotes are guaranteed to cause data corruption and must be disabled for any application which prefers its data in tact.

If your host will not disable them, get a new host.

Mark

Share this post


Link to post
Share on other sites
Ok, so I should ask if my host wants to disable magic quotes, or is there a way to turn it off during runtime?

Toolmaker

Share this post


Link to post
Share on other sites
I found a way around it :) In my news post script I made a loop that checks for any \ and removes it :) Because they only seem to be at a ' so :D

Share this post


Link to post
Share on other sites
What about any legitimate backslashes in the data? Surely removing *all* backslashes causes data corruption - legit ones get trashed too.

Mark

Share this post


Link to post
Share on other sites
Disabling magic quotes at runtime does not work, the quotes are already added at the point any of your code executes.
There are the stripslashes and addslashes function for this, I usually use:

function quote_input($value)
{
if (get_magic_quotes_gpc()) {
return "'$value'";
} else {
return "'".addslashes($value)."'";
}
}

function unquote_input($value)
{
if (get_magic_quotes_gpc()) {
return stripslashes($value);
} else {
return $value;
}
}

unquote_input($_GET['somevar']); // always without backslashes
quote_input($_GET['somevar']); // always with backslashes and in ''; for use in database queries

Share this post


Link to post
Share on other sites
Seems like I need to go with StripSlashes then. I already knew I could strip the slashes, but turning off magic_quotes during runtime would have been easier and better.

I might seek contact with my host, but I do see a reason for why they turn it on by default, since it makes database exploiting a bit harder(Or perhaps impossible, not sure). Ofcourse, each pro has it's con, so I have the feeling they won't turn it off for me since I'm not the only customer.

Apart from that, I just write a little work around code for it, no big deal.

Toolmaker

Share this post


Link to post
Share on other sites
The problem, as I've said before, is that although they improve security, they also cause data corruption.

It is not possible to mitigate or prevent this data corruption, and it is guaranteed to break any application which ever cares about having backslashes, quotes, or other characters stored and retrieved correctly.

This of couse makes storage of binary data in a database impossible and severely limits what you can do with text data.

Mark

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement