On Wed, Dec 22, 2010 at 4:21 PM, Russell Dias <rus321@xxxxxxxxx> wrote: > stripslashes() is rife with gaping security holes. For mysql > insertion rely on mysql_real_escape_string() or alternatively, you can > use prepared statements. > > For outputting data on the page you should ideally be using > htmlspecialchars($var, ENT_QUOTES); > > cheers, > Russ > > On Thu, Dec 23, 2010 at 6:48 AM, Ravi Gehlot <ravi@xxxxxxxxxxxxxx> wrote: > > On Wed, Dec 22, 2010 at 3:34 PM, Bob McConnell <rvm@xxxxxxxxx> wrote: > > > >> From: Ravi Gehlot > >> > >> > What are these magic quotes anyways?. What are they used for? > >> escaping? > >> > >> I wasn't there at the time, but I gather that the general idea was to > >> automagically insert escape characters into data submitted from a form. > >> However, they used a backslash as the escape character, which is not > >> universally recognized across database engines. Even the SQL standard > >> defines an escape as a single quote character. > >> > >> We used to have magic quotes enabled, and came up with the following > >> code to clean up the mess it caused. > >> > >> // If magic quotes is on, we want to remove slashes > >> if (get_magic_quotes_gpc()) { > >> // Magic quotes is on > >> $response = stripslashes($_POST[$key]); > >> } else { > >> $response = $_POST[$key]; > >> } > >> > >> For future releases of PHP, this will also need a check to see if > >> get_magic_quotes_gpc() exists first. > >> > >> Bob McConnell > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > > Bob, > > > > Thank you very much. This is good information. What I found out from > > http://us2.php.net/manual/en/function.stripslashes.php was the > following: > > "An example use of *stripslashes()* is when the PHP directive > > magic_quotes_gpc< > http://us2.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc > >is > > *on* (it's on by default), and you aren't inserting this data into a > place > > (such as a database) that requires escaping. For example, if you're > simply > > outputting data straight from an HTML form. " > > > > So that means that stripslashes() isn't intended for DB insertions but > only > > straight output. So I will remove it from my code. > > > > Thanks, > > Ravi. > > > Hello Russell, When you use htmlspecialchars() it tries to escape single/double quotes with a bunch of backslashes. I had stripslashes() in an attempt to try to get the backslashes away but it didn't. So the solution was to disable magic quotes in php.ini. With GoDaddy shared hosting, I had to rename php.ini over to php5.ini in order to have this to work. Also had to include the command like responsible for disabling magic quotes. Everything is good and clean now. Now you type for example "Hunter's Reserve Circle" and it keeps it as it is. Before it would print something like "Hunter'///////////s Reserve Circle". With double quote, the situation would be even worse. mysql_real_escape_string() is a must in order to avoid SQL injections. Regards, Ravi.