TalkPHP - View Single Post

SOCK · 12-05-2007, 07:44 AM

Ok, this portion of your code

PHP Code:


			


if (get_magic_quotes_gpc())



{



    $user = addslashes($user);



    $pass = addslashes($pass);



    $dir = addslashes($dir);



}

.. actually doubles up the slashes!! You're checking to see if magic_quotes is On, then taking each piece of data and adding a second set of escaping slashes. In fact, Let's say an original slash '\' was in the data. magic_quotes escapes this with a slash, creating '\\', and addslashes comes along (you guessed it) makes a third '\\\'!!

The idea of using get_magic_quotes_gpc() is to check whether or not magic_quotes exists. If it does, you use stripslashes to undo its evil deeds. If not, you don't have to worry about it. The next sequence of code after this (where you interact with the DB) is where you ultimately want to escape the data.

Here's a general outline of how I run something like this:

Verify that all required data is present
Check for magic_quotes, if so, stripslashes
Validate all data for the proper type / formatting
Open the DB connection
Use a native escape function and/or a parameterized query (in this case, use $db->real_escape_string($user) for example)

Take a look at my earlier post and the code example. Notice how I use array_map() to run stripslashes on every POST array index. This is much more efficient than writing separate code for each index value.

12-05-2007, 07:44 AM	#13 (permalink)
SOCK The Acquainted Join Date: Nov 2007 Posts: 154 Thanks: 31	Ok, this portion of your code PHP Code: `if (get_magic_quotes_gpc()) { $user = addslashes($user); $pass = addslashes($pass); $dir = addslashes($dir); }` .. actually doubles up the slashes!! You're checking to see if magic_quotes is On, then taking each piece of data and adding a second set of escaping slashes. In fact, Let's say an original slash '\' was in the data. magic_quotes escapes this with a slash, creating '\\', and addslashes comes along (you guessed it) makes a third '\\\'!! The idea of using get_magic_quotes_gpc() is to check whether or not magic_quotes exists. If it does, you use stripslashes to undo its evil deeds. If not, you don't have to worry about it. The next sequence of code after this (where you interact with the DB) is where you ultimately want to escape the data. Here's a general outline of how I run something like this: Verify that all required data is present Check for magic_quotes, if so, stripslashes Validate all data for the proper type / formatting Open the DB connection Use a native escape function and/or a parameterized query (in this case, use $db->real_escape_string($user) for example) Take a look at my earlier post and the code example. Notice how I use array_map() to run stripslashes on every POST array index. This is much more efficient than writing separate code for each index value.