Does using magic_quotes() affect the use of mysql_real_escape_string()
-
30-09-2019 - |
Question
If I have magic_quotes
switched on and I use mysql_real_escape_string
, will the string be double escaped? Will it cause problems?
I assume so based on the get_magic_quotes()
function but just seeking confirmation.
(P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment)
Solution
If you escape a value obtained from get/post/cookie input, it will already have addslashes()
applied to it, so passing it through mysql_real_escape_string()
will in fact, double quote.
To strip em:
if (get_magic_quotes_gpc())
{
$_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
$_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
$_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
$_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
ini_set('magic_quotes_gpc', 0);
}
This question has some other options for stripping quotes / dealing with the horrible magic_quotes_gpc
PHP 'feature'.
OTHER TIPS
Read the documentation of mysql_real_escape_string
(I hope this is not difficult as well):
Note: If
magic_quotes_gpc
is enabled, first applystripslashes()
to the data. Using this function on data which has already been escaped will escape the data twice.
Of course, the easiest way is to turn magic_quotes off.
wuth usual PHP/Apache config, this line
php_flag magic_quotes_gpc 0
in the .htaccess
file will do the thing.
but for the compatibility purpose, a function can be used in some config file too.
if ( get_magic_quotes_gpc( ) ) {
$_GET = array_map_recursive('stripslashes', $_GET) ;
$_POST = array_map_recursive('stripslashes', $_POST) ;
$_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
$_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']);
if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}
one of the easiest
If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped?
Yes, it will but you could do something like this though:
if (get_magic_quotes_gpc())
{
$escaped = stripslashes($your_vars);
}
Note: You can disable the magic quotes from PHP.ini or use the below function to override it:
// no more magic quotes
function get_magic_quotes_gpc()
{
return false;
}