PHP - Magic Quotes

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PHP - Magic Quotes

    Prior to PHP 6 there was a feature called magic quotes that was created to help protect newbie programmers from writing bad form processing code. Magic quotes would automatically escape risky form data that might be used for SQL Injection with a backslash \. The characters escaped by PHP include: quote ', double quote ", backslash \ and NULL characters.

    However, this newbie protection proved to cause more problems than it solved and is not in PHP 6. If your PHP version is any version before 6 then you should use this lesson to learn more about how magic quotes can affect you.

    Magic Quotes - Are They Enabled?

    First things first, you need to check to see if you have magic quotes enabled on you server. The get_magic_quotes_gpc function will return a 0 (off) or a 1 (on). These boolean values will fit nicely into an if statement where 1 is true and 0 is false.

    PHP Code:
    if(get_magic_quotes_gpc())
        echo 
    "Magic quotes are enabled";
    else
        echo 
    "Magic quotes are disabled"

    Magic quotes are enabled
    If you received the message "Magic quotes are enabled" then you should definitely continue reading this lesson, if not feel free to learn about it in case you are developing for servers that might have quotes on or off.

    Magic Quotes in Action


    Now lets make a simple form processor to show how machines with magic quotes enabled will escape those potentially risky characters. This form submits to itself, so you only need to make one file, "magic-quotes.php" to test it out.

    magic-quotes.php
    PHP Code:
    <?php
    echo "Altered Text: ".$_POST['question'];
    ?>

    <form method='post'>
    Question: <input type='text' name='question'/><br />
    <input type='submit'>

    </form>
    This simple form will display to you what magic quotes is doing. If you were to enter and submit the string: Sandy said, "It's a beautiful day outside and I like to use \'s." You would receive the following output.

    Altered Text: Sandy said, \"It\'s a beautiful day outside and I like to use \\\'s.\"
    Magic quotes did a number on that string, didn't it? Notice that there is a backslash before all of those risky characters we talked about earlier. After magic quotes:
    • A backslash \ becomes \\
    • A quote ' becomes \'
    • A double-quote " becomes \"


    Now say that you wanted to remove the escaping that magic quotes puts in, you have two options: disable magic quotes or strip the backslashes magic quotes adds.

    removing Backslashes - stripslashes()

    Before you use PHP's backslash removal function stripslashes it's smart to add some magic quote checking like our "Are They Enabled?" section above. This way you won't accidentally be removing slashes that are legitimate in the future if your PHP's magic quotes setting changes in the future.

    magic-quotes.php
    PHP Code:
    <?php
    echo "Removed Slashes: ";
    // Remove those slashes
    if(get_magic_quotes_gpc())
        echo 
    stripslashes($_POST['question']);
    else
        echo 
    $_POST['question'];
        
    ?>

    <form method='post'>
    Question: <input type='text' name='question'/><br />
    <input type='submit'>

    </form>
    Our new output for our string containing risky characters would now be:

    Removed Slashes: Sandy said, "It's a beautiful day outside and I like to use \'s."
    Last edited by bOrN2pwn; 02.01.10, 05:03.
    BakGat
    Code:
    class Counter {
    public:
      void Count();
      int  ReadDisplay();
    private:
      int  CurrentCount;
    };








    Back up my hard drive? How do I put it in reverse?
    My Community
    BakGat
    sigpic

    #2
    Maybe you want to use this:
    PHP Code:
    function clean($str)
    {
    $str trim(htmlentities(strip_tags($str)));
    if(
    get_magic_quotes_gpc())
    $str stripslashes($str);
    $str mysql_real_escape_string($str);
    return 
    $str;

    and the code will be used like this:
    PHP Code:
    $test clean($_POST['test']);
    or
    $test clean($_GET['test']);
    or
    $test clean($_REQUEST['test']);
    echo 
    $test
    www.inbuzunar.mobi - Your mobile portal pocket

    Comment

    Working...
    X