Indeed. The Force is strong with this one...This Richard Lynch. Thanks for your insight. You are right magic quotes is indeed meddling with my vars before I can. OK, I better understand. I'll do more homework. I've already investigated the other link you advised and it's bookmarked. -----Original Message----- From: Richard Lynch [mailto:ceo@xxxxxxxxx] Sent: Thursday, August 09, 2007 12:29 AM To: k3cheese Cc: php-general@xxxxxxxxxxxxx Subject: RE: magic quotes On Thu, August 9, 2007 12:01 am, k3cheese wrote: > I have an example, how using js can instantly remove chars you type. > If I > don't want quotes in the form fields the code in loop removes them. > What's > your take on this? My take: Problem #1: It doesn't work very well for fields that actually should allow an apostrophe. Problem #2: Apostrophe is NOT the only character that magic_quotes affects. Problem #3: You can't rely on JavaScript sanitizing, because the Bad Guys aren't using a web browser; They are splatting whatever raw data they want directly at your script. Start reading here: http://phpsec.org Problem #4: You cannot guarantee JavaScript is enabled in my browser. In fact, you can guarantee that at least one user will have disabled JavaScript. Problem #5: It doesn't do diddly-squat for GET data nor for COOKIE data, only POST. Problem #6: There is no number 6. Problem #7: Magic Quotes was designed for the ASCII character set, and is downright dangerous to use for anything else (Unicode/UTF-8/etc). Avoiding the input of the apostrophes (and other characters) but still having Magic Quotes on means you're just spinning your wheels with PHP calling addslashes on POST data that you HOPE (but can't prove) doesn't have apostrophe and other characters in it, but this could completely screw up in Unicode/UTF-8 incoming data, and most likely leave you vulnerable. Unless, of course, you use mysql_real_escape_string like you are supposed to. Even then, the Unicode coming in will possibly/probably be whacked wrong by Magic Quotes sooner or later, so now if you want to support non-ASCII charsets, you probably can't, because Magic Quotes is munging the data before you get a chance to call mysql_real_escape_string on it to do the right thing. [Though maybe not, as maybe addslashes can't do any harm to Unicode if there's no ' nor \ to escape... You'd have to ask a Unicode geek. But they'd tell you to just turn off the Magic Quotes and be done with it anyway.] But that's just my take... :-v -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
