Re: magic_quotes_gpc() on or off? [message #173872 is a reply to message #173868] |
Wed, 11 May 2011 10:38 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 5/11/2011 3:28 AM, Simon wrote:
> Hi,
>
> On my dev machine(s) I have:
> magic_quotes_gpc = Off and magic_quotes_runtime = Off
>
> as far as I understand this is the 'preferred' settings when it comes to
> magic quotes.
>
> On the live machine I see that the values are:
>
> magic_quotes_gpc = On and magic_quotes_runtime = Off
>
> I think this is a throw back of upgrading from 4.x to 5.x many moons
> ago, (the value should not be set as per
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).
>
> But as a point of interest, this causes a problem when I try to save
> data in the database.
> According to http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>
> so if I have:
>
> /////////////////////////////////////////////////////////////////////////// /
>
>
> // get a proper MySQL connection for mysql_real_escape_string() to work.
> ...
> //
> //
> $data = 'H\hi'; // a random string that I want to save 'as is' in the
> db. Note the 'escaped' character.
>
First of all, '\h' is not a valid escape character. If you actually
want a backslash there, you need to use '\\h'. Using invalid character
combinations leads to unpredictable results.
> //
> // now try and save it to the db
> //
> // Stripslashes if need be
> if (get_magic_quotes_gpc())
> {
> $data = stripslashes($data);
> }
>
Why are you stripping slashes BEFORE storing the data?
magic_quotes_gpc() affects data RETRIEVED from the database.
> // escape
> $data = mysql_real_escape_string($data);
>
> echo $data;
> /////////////////////////////////////////////////////////////////////////// /
>
>
> You will see that the data has become 'Hhi', the '\' has been stripped,
> and the data is no longer saved as expected.
>
As I would expect, as indicated above.
> If I turn magic_quotes_gpc=off this is a moot point.
> But I was wondering how you could get it to work with magic_quotes_gpc=On
>
> Any suggestions? comments?
>
> Thanks
>
> Simon
>
>
I never run with magic_quotes_gpc() on, and won't recommend a host who
runs with it on. If they don't know enough to turn off something which
has been deprecated for years, I'm not sure what else they are clueless
about.
And BTW - it is being removed in PHP6 anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|