Does using magic_quotes() affect the use of mysql_real_escape_string()
https://stackoverflow.com/questions/2688526
-
30-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If I have magic_quotes switched on and I use mysql_real_escape_string, will the string be double escaped? Will it cause problems?
I assume so based on the get_magic_quotes() function but just seeking confirmation.
(P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment)
Solution
If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied to it, so passing it through mysql_real_escape_string() will in fact, double quote.
To strip em:
if (get_magic_quotes_gpc())
{
$_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
$_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
$_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
$_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
ini_set('magic_quotes_gpc', 0);
}
This question has some other options for stripping quotes / dealing with the horrible magic_quotes_gpc PHP 'feature'.
OTHER TIPS
Read the documentation of mysql_real_escape_string (I hope this is not difficult as well):
Note: If
magic_quotes_gpcis enabled, first applystripslashes()to the data. Using this function on data which has already been escaped will escape the data twice.
Of course, the easiest way is to turn magic_quotes off.
wuth usual PHP/Apache config, this line
php_flag magic_quotes_gpc 0
in the .htaccess file will do the thing.
but for the compatibility purpose, a function can be used in some config file too.
if ( get_magic_quotes_gpc( ) ) {
$_GET = array_map_recursive('stripslashes', $_GET) ;
$_POST = array_map_recursive('stripslashes', $_POST) ;
$_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
$_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']);
if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}
one of the easiest
If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped?
Yes, it will but you could do something like this though:
if (get_magic_quotes_gpc())
{
$escaped = stripslashes($your_vars);
}
Note: You can disable the magic quotes from PHP.ini or use the below function to override it:
// no more magic quotes
function get_magic_quotes_gpc()
{
return false;
}
