Re: pdo ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/24/2013 6:03 PM, Matt Pelmear wrote:
On 01/24/2013 01:37 PM, Karl DeSaulniers wrote:

On Jan 24, 2013, at 2:15 PM, Matt Pelmear wrote:

On 01/24/2013 12:00 PM, Jim Giner wrote:
On 1/24/2013 1:41 PM, Richard Quadling wrote:
On 24 January 2013 17:48, Matt Pelmear <mjpelmear@xxxxxxxxx> wrote:
On 01/24/2013 09:23 AM, Jim Giner wrote:

On 1/24/2013 12:05 PM, Matt Pelmear wrote:


http://stackoverflow.com/questions/5801951/does-php-auto-escapes-quotes-in-string-which-is-passed-by-get-or-post



Every pro has this feature (magic_quotes_gpc) turned off. If you
understand SQL Injection vulnerabilities, and properly bind
things into
your queries, I would recommend disabling it.

-Matt

On 01/24/2013 08:55 AM, Jim Giner wrote:

ok - new to using pdo functions, but I thought I had a handle
on it.

I'm writing out to my page an input tag with the following
value in it:

49'ers

I can confirm it by using my browser's "view source" to see
that is
exactly how it exists in the page.

When I hit a submit button and my script retrieves the 'post'
vars my
debugging steps are showing that the var $_POST['team']
contains the
above value with a backslash (\) already inserted. This is
causing me
a problem when I then try to use pdo->quote to safely encode it
for
updating my sql database.

My question is - why does the POST var show the \ char before I
execute the 'quote' function?


You're right!  But I must not understand something.

My root folder has a php.ini file with the magic quotes set off.
Doesn't
that carry on down to folders beneath it?


I would check phpinfo() to see if it is being overridden.

-Matt

Create an info.php file containing ...

<?php
phpinfo();

Save that in the directory containing PHP and one other directory.

Load them via your browser. See the settings for the magic_xxxx and
see where the php.ini configuration file is being loaded.

It may be that your ini file is completely ignored!


Matt & Rich,

I have a small php.ini in my domain's  'php' folder as well as in my
webroot folder. I was under the impression that the overrides would
be applied to all folders below my webroot, but apparently it is not
happening.

How do 'pros' replicate their .ini settings thru all of the
application folder?  Not thru settings within the scripts I hope - I
thought I read that the was not a very efficient way to do it and
that a php.ini file was the best since it would be merged with the
master one installed by my hoster.


Jim,

Personally I rarely have the need to override the php.ini settings
for a particular host on a server. (Granted I never work in shared
servers)
Assuming you are using Apache and the standard module configuration,
you can use .htaccess files to override many settings from php.ini

Official reference pages:
http://php.net/manual/en/configuration.changes.php  (you might want
to read through the comments here, too)
http://httpd.apache.org/docs/current/howto/htaccess.html

Example and some discussion here as well:
http://davidwalsh.name/php-values-htaccess

If you are using another web server or running PHP as FastCGI you may
need to consider other options (changing the setting globally or
doing a require_once() of your config changes?, or see the FastCGI
example here:
http://www.askapache.com/php/php-htaccess-tips-tricks.html)

-Matt

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



You could just check for it with php and add or strip accordingly.

adding slashes if magic_quotes is disabled:

if (!get_magic_quotes_gpc()) {
    $var = addslashes($var);
}

stripping slashes if magic_quotes is enabled and your planning on
sanitizing yourself.

if (get_magic_quotes_gpc()) {
    $var = stripslashes($var);
    //do your own sanitizing
}

I wouldn't suggest the last one if your not going to sanitize yourself
as it will make you vulnerable.
But all-in-all very simple to implement.

Best,

Karl DeSaulniers
Design Drumm
http://designdrumm.com



You shouldn't be sanitizing using addslashes() regardless, or using
magic_quotes_gpc at all really, if you can help it.
See: http://php.net/manual/en/security.magicquotes.whynot.php
(magic_quotes was deprecated because it is bad.)

-Matt

And I'm not.

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux