[web] PHP still adding slashes to quotes with magic quotes off?
Author
I got myself a very strange problem. My PHP scripts still add the slashes to the quotes for some strange reason. I used set_magic_quotes_runtime(0) somewhere, and when I check, it'ss till set to 0.
However, the configuration of PHP has magic_quotes_gpc enabled. I work around for this, as I can't change the configuration of my host.
Toolmaker
Magic quotes in all their forms are evil. They are a cure worse than the disease.
Magic quotes are guaranteed to cause data corruption and must be disabled for any application which prefers its data in tact.
If your host will not disable them, get a new host.
Mark
Magic quotes are guaranteed to cause data corruption and must be disabled for any application which prefers its data in tact.
If your host will not disable them, get a new host.
Mark
Author
Ok, so I should ask if my host wants to disable magic quotes, or is there a way to turn it off during runtime?
Toolmaker
Toolmaker
I found a way around it :) In my news post script I made a loop that checks for any \ and removes it :) Because they only seem to be at a ' so :D
What about any legitimate backslashes in the data? Surely removing *all* backslashes causes data corruption - legit ones get trashed too.
Mark
Mark
Disabling magic quotes at runtime does not work, the quotes are already added at the point any of your code executes.
There are the stripslashes and addslashes function for this, I usually use:
There are the stripslashes and addslashes function for this, I usually use:
function quote_input($value){ if (get_magic_quotes_gpc()) { return "'$value'"; } else { return "'".addslashes($value)."'"; }}function unquote_input($value){ if (get_magic_quotes_gpc()) { return stripslashes($value); } else { return $value; }}unquote_input($_GET['somevar']); // always without backslashesquote_input($_GET['somevar']); // always with backslashes and in ''; for use in database queries
Author
Seems like I need to go with StripSlashes then. I already knew I could strip the slashes, but turning off magic_quotes during runtime would have been easier and better.
I might seek contact with my host, but I do see a reason for why they turn it on by default, since it makes database exploiting a bit harder(Or perhaps impossible, not sure). Ofcourse, each pro has it's con, so I have the feeling they won't turn it off for me since I'm not the only customer.
Apart from that, I just write a little work around code for it, no big deal.
Toolmaker
I might seek contact with my host, but I do see a reason for why they turn it on by default, since it makes database exploiting a bit harder(Or perhaps impossible, not sure). Ofcourse, each pro has it's con, so I have the feeling they won't turn it off for me since I'm not the only customer.
Apart from that, I just write a little work around code for it, no big deal.
Toolmaker
The problem, as I've said before, is that although they improve security, they also cause data corruption.
It is not possible to mitigate or prevent this data corruption, and it is guaranteed to break any application which ever cares about having backslashes, quotes, or other characters stored and retrieved correctly.
This of couse makes storage of binary data in a database impossible and severely limits what you can do with text data.
Mark
It is not possible to mitigate or prevent this data corruption, and it is guaranteed to break any application which ever cares about having backslashes, quotes, or other characters stored and retrieved correctly.
This of couse makes storage of binary data in a database impossible and severely limits what you can do with text data.
Mark
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
