stripslashes() is rife with gaping security holes. For mysql
insertion rely on mysql_real_escape_string() or alternatively, you can
use prepared statements.
For outputting data on the page you should ideally be using
htmlspecialchars($var, ENT_QUOTES);
cheers,
Russ
On Thu, Dec 23, 2010 at 6:48 AM, Ravi Gehlot <ravi@xxxxxxxxxxxxxx> wrote:
> On Wed, Dec 22, 2010 at 3:34 PM, Bob McConnell <rvm@xxxxxxxxx> wrote:
>
>> From: Ravi Gehlot
>>
>> > What are these magic quotes anyways?. What are they used for?
>> escaping?
>>
>> I wasn't there at the time, but I gather that the general idea was to
>> automagically insert escape characters into data submitted from a form.
>> However, they used a backslash as the escape character, which is not
>> universally recognized across database engines. Even the SQL standard
>> defines an escape as a single quote character.
>>
>> We used to have magic quotes enabled, and came up with the following
>> code to clean up the mess it caused.
>>
>> // If magic quotes is on, we want to remove slashes
>> if (get_magic_quotes_gpc()) {
>> // Magic quotes is on
>> $response = stripslashes($_POST[$key]);
>> } else {
>> $response = $_POST[$key];
>> }
>>
>> For future releases of PHP, this will also need a check to see if
>> get_magic_quotes_gpc() exists first.
>>
>> Bob McConnell
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> Bob,
>
> Thank you very much. This is good information. What I found out from
> http://us2.php.net/manual/en/function.stripslashes.php was the following:
> "An example use of *stripslashes()* is when the PHP directive
> magic_quotes_gpc<http://us2.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc>is
> *on* (it's on by default), and you aren't inserting this data into a place
> (such as a database) that requires escaping. For example, if you're simply
> outputting data straight from an HTML form. "
>
> So that means that stripslashes() isn't intended for DB insertions but only
> straight output. So I will remove it from my code.
>
> Thanks,
> Ravi.
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
