Sign in to follow this  
Toolmaker

[web] PHP still adding slashes to quotes with magic quotes off?

Recommended Posts

I got myself a very strange problem. My PHP scripts still add the slashes to the quotes for some strange reason. I used set_magic_quotes_runtime(0) somewhere, and when I check, it'ss till set to 0. However, the configuration of PHP has magic_quotes_gpc enabled. I work around for this, as I can't change the configuration of my host. Toolmaker

Share this post


Link to post
Share on other sites
Magic quotes in all their forms are evil. They are a cure worse than the disease.

Magic quotes are guaranteed to cause data corruption and must be disabled for any application which prefers its data in tact.

If your host will not disable them, get a new host.

Mark

Share this post


Link to post
Share on other sites
What about any legitimate backslashes in the data? Surely removing *all* backslashes causes data corruption - legit ones get trashed too.

Mark

Share this post


Link to post
Share on other sites
Disabling magic quotes at runtime does not work, the quotes are already added at the point any of your code executes.
There are the stripslashes and addslashes function for this, I usually use:

function quote_input($value)
{
if (get_magic_quotes_gpc()) {
return "'$value'";
} else {
return "'".addslashes($value)."'";
}
}

function unquote_input($value)
{
if (get_magic_quotes_gpc()) {
return stripslashes($value);
} else {
return $value;
}
}

unquote_input($_GET['somevar']); // always without backslashes
quote_input($_GET['somevar']); // always with backslashes and in ''; for use in database queries

Share this post


Link to post
Share on other sites
Seems like I need to go with StripSlashes then. I already knew I could strip the slashes, but turning off magic_quotes during runtime would have been easier and better.

I might seek contact with my host, but I do see a reason for why they turn it on by default, since it makes database exploiting a bit harder(Or perhaps impossible, not sure). Ofcourse, each pro has it's con, so I have the feeling they won't turn it off for me since I'm not the only customer.

Apart from that, I just write a little work around code for it, no big deal.

Toolmaker

Share this post


Link to post
Share on other sites
The problem, as I've said before, is that although they improve security, they also cause data corruption.

It is not possible to mitigate or prevent this data corruption, and it is guaranteed to break any application which ever cares about having backslashes, quotes, or other characters stored and retrieved correctly.

This of couse makes storage of binary data in a database impossible and severely limits what you can do with text data.

Mark

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this