if magic_quotes_gpc is On, does it add slashes in front of quotes when
submit through form?
Mean, if I submit in input form (text) afan's "crazy" web, after
echo $_POST['record'];
I'll get afan\'s \"crazy\" web. Is this because of magic_quote_gps is On?
-afan
> Security wise, it is best to turn it off...
> Yes, you *might* have to redo code if you turn it off...
> (Of course in future versions you will not be able to turn it on, so
> code migration might be better now then later)
>
> Your options are:
> - turn it off, see what breaks and fix it.
> - or use the stripslashes() function on all $_POST, session and cookie
> variables *before* you use the mysql_real_escape_string() function. You
> only really need to do such things when that data is going into the
> database! So any control variables passed via get, post, etc.. do not
> need to be cleaned up, just use as they are.
>
> -Brad
>
> afan@xxxxxxxx wrote:
>
>>yes. it's *On*
>>
>>if I turn it Off - I have to redo a lot of code, then right?
>>
>>What would be the best solution (and few options too :))?
>>
>>-afan
>>
>>
>>
>>
>>>in your php.ini file what is the value of:
>>>magic_quotes_gpc?
>>>(hint: should be off, if it is on, then you are add slashes twice...)
>>>-Brad
>>>
>>>afan@xxxxxxxx wrote:
>>>
>>>
>>>
>>>>ok. I just made one test and if you can then explain something to me:
>>>>I entered in form (textarea)
>>>>afan's "crazy" web
>>>>and stored in db using mysql-real_escape_string().
>>>>in DB, it's stored with slashes:
>>>>afan\'s \"crazy\" web
>>>>
>>>>Then I pulled that from DB on three different ways:
>>>>$query = mysql_query("select test from dbtest where rec_id = 5");
>>>>$result = mysql_fetch_array($query);
>>>>echo $result['gen_value']; // gives afan\'s \"crazy\" web
>>>>echo stripslashes($result['gen_value']); // gives afan's "crazy" web
>>>>echo htmlentities($result['gen_value']); // gives afan\'s \"crazy\"
>>>> web
>>>>
>>>>if stripslashes() is not correcct to use - what then?!?
>>>>
>>>>-afan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>afan@xxxxxxxx wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>after these very helpfull comments, I rad (again) Shiflett's (and few
>>>>>>others) Security articles about filtering input and output. And more
>>>>>> I
>>>>>>read - less is clear :(
>>>>>>
>>>>>>Before, I used addslash() before I insert data in database and
>>>>>>strislshe()
>>>>>>to show them on screen.
>>>>>>
>>>>>>Later found it's not good and start using mysql_real_escae_string()
>>>>>> to
>>>>>>add
>>>>>>to DB and stripslashe() to show on screen.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>If you have to stripslashes() when you pull data out of the db, you're
>>>>>doing something wrong (like running with magic_quotes* on, therefore
>>>>>double escaping your data).
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>But, also, I thought, mysql_real_escape_string() is "filter" for
>>>>>>everything, e.g. lets have three links (add, delete, edit) as
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>mysql_real_escape_string() *only* escapes the data which needs to be
>>>>>escaped for your particular db version.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>><a href=index.php?action=add&rec_id=$rec_id>Add new</a>
>>>>>><a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
>>>>>><a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
>>>>>>and was doing this way:
>>>>>>#index.php
>>>>>><?php
>>>>>>if($_GET['action'])
>>>>>>{
>>>>>> $action = mysql_real_escape_string($_GET['action']);
>>>>>> $rec_id = mysql_real_escape_string($_GET['rec_id']);
>>>>>> switch($action)
>>>>>> {
>>>>>> case 'add':
>>>>>> // add new record
>>>>>> break;
>>>>>>
>>>>>> case 'edit':
>>>>>> // edit record
>>>>>> break;
>>>>>>
>>>>>> case 'delete':
>>>>>> // delete record
>>>>>> break;
>>>>>> }
>>>>>>}
>>>>>>?>
>>>>>>
>>>>>>it means that $action I will never store in DB, neither show on
>>>>>> screen.
>>>>>>I
>>>>>>then wrong to
>>>>>>$action = mysql_real_escape_string($_GET['action']);
>>>>>>or I should
>>>>>>$action = htmlentities($_GET['action']);
>>>>>>or
>>>>>>$action = $_GET['action'];
>>>>>>is just fine?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>If you're not going to display it or insert it...if all you're doing
>>>>> is
>>>>>checking the value of it, then you don't need to modify it.
>>>>>
>>>>>--
>>>>>John C. Nichel IV
>>>>>Programmer/System Admin (ÜberGeek)
>>>>>Dot Com Holdings of Buffalo
>>>>>716.856.9675
>>>>>jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>
>>>>>--
>>>>>PHP General Mailing List (http://www.php.net/)
>>>>>To unsubscribe, visit: http://www.php.net/unsub.php
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
