| magic_quotes_gpc() on or off? [message #173868] |
Wed, 11 May 2011 07:28  |
Simon
Messages: 29
Registered: February 2011
Karma: 0
|
Junior Member |
|
|
Hi,
On my dev machine(s) I have:
magic_quotes_gpc = Off and magic_quotes_runtime = Off
as far as I understand this is the 'preferred' settings when it comes to
magic quotes.
On the live machine I see that the values are:
magic_quotes_gpc = On and magic_quotes_runtime = Off
I think this is a throw back of upgrading from 4.x to 5.x many moons
ago, (the value should not be set as per
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).
But as a point of interest, this causes a problem when I try to save
data in the database.
According to http://php.net/manual/en/function.mysql-real-escape-string.php
"If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
Using this function on data which has already been escaped will escape
the data twice."
so if I have:
/////////////////////////////////////////////////////////////////////////// /
// get a proper MySQL connection for mysql_real_escape_string() to work.
....
//
//
$data = 'H\hi'; // a random string that I want to save 'as is' in the
db. Note the 'escaped' character.
//
// now try and save it to the db
//
// Stripslashes if need be
if (get_magic_quotes_gpc())
{
$data = stripslashes($data);
}
// escape
$data = mysql_real_escape_string($data);
echo $data;
/////////////////////////////////////////////////////////////////////////// /
You will see that the data has become 'Hhi', the '\' has been stripped,
and the data is no longer saved as expected.
If I turn magic_quotes_gpc=off this is a moot point.
But I was wondering how you could get it to work with magic_quotes_gpc=On
Any suggestions? comments?
Thanks
Simon
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173872 is a reply to message #173868] |
Wed, 11 May 2011 10:38  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 5/11/2011 3:28 AM, Simon wrote:
> Hi,
>
> On my dev machine(s) I have:
> magic_quotes_gpc = Off and magic_quotes_runtime = Off
>
> as far as I understand this is the 'preferred' settings when it comes to
> magic quotes.
>
> On the live machine I see that the values are:
>
> magic_quotes_gpc = On and magic_quotes_runtime = Off
>
> I think this is a throw back of upgrading from 4.x to 5.x many moons
> ago, (the value should not be set as per
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).
>
> But as a point of interest, this causes a problem when I try to save
> data in the database.
> According to http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>
> so if I have:
>
> /////////////////////////////////////////////////////////////////////////// /
>
>
> // get a proper MySQL connection for mysql_real_escape_string() to work.
> ...
> //
> //
> $data = 'H\hi'; // a random string that I want to save 'as is' in the
> db. Note the 'escaped' character.
>
First of all, '\h' is not a valid escape character. If you actually
want a backslash there, you need to use '\\h'. Using invalid character
combinations leads to unpredictable results.
> //
> // now try and save it to the db
> //
> // Stripslashes if need be
> if (get_magic_quotes_gpc())
> {
> $data = stripslashes($data);
> }
>
Why are you stripping slashes BEFORE storing the data?
magic_quotes_gpc() affects data RETRIEVED from the database.
> // escape
> $data = mysql_real_escape_string($data);
>
> echo $data;
> /////////////////////////////////////////////////////////////////////////// /
>
>
> You will see that the data has become 'Hhi', the '\' has been stripped,
> and the data is no longer saved as expected.
>
As I would expect, as indicated above.
> If I turn magic_quotes_gpc=off this is a moot point.
> But I was wondering how you could get it to work with magic_quotes_gpc=On
>
> Any suggestions? comments?
>
> Thanks
>
> Simon
>
>
I never run with magic_quotes_gpc() on, and won't recommend a host who
runs with it on. If they don't know enough to turn off something which
has been deprecated for years, I'm not sure what else they are clueless
about.
And BTW - it is being removed in PHP6 anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173874 is a reply to message #173868] |
Wed, 11 May 2011 10:45 |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
El 11/05/2011 9:28, Simon escribió/wrote:
> On my dev machine(s) I have:
> magic_quotes_gpc = Off and magic_quotes_runtime = Off
>
> as far as I understand this is the 'preferred' settings when it comes to
> magic quotes.
Certainly. It makes everything easier, as you've already found out.
> On the live machine I see that the values are:
>
> magic_quotes_gpc = On and magic_quotes_runtime = Off
>
> I think this is a throw back of upgrading from 4.x to 5.x many moons
> ago, (the value should not be set as per
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).
>
> But as a point of interest, this causes a problem when I try to save
> data in the database.
> According to http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>
> so if I have:
>
> /////////////////////////////////////////////////////////////////////////// /
>
>
> // get a proper MySQL connection for mysql_real_escape_string() to work.
> ...
> //
> //
> $data = 'H\hi'; // a random string that I want to save 'as is' in the
> db. Note the 'escaped' character.
>
> //
> // now try and save it to the db
> //
> // Stripslashes if need be
> if (get_magic_quotes_gpc())
> {
> $data = stripslashes($data);
> }
>
> // escape
> $data = mysql_real_escape_string($data);
>
> echo $data;
> /////////////////////////////////////////////////////////////////////////// /
>
>
> You will see that the data has become 'Hhi', the '\' has been stripped,
> and the data is no longer saved as expected.
>
> If I turn magic_quotes_gpc=off this is a moot point.
> But I was wondering how you could get it to work with magic_quotes_gpc=On
>
> Any suggestions? comments?
If $data really comes from GET/POST/COOKIE and the original value is
«H\hi», you should have «H\\hi».
Inspect its value with var_dump() and make sure it's actually coming
from $_GET, $_POST or $_COOKIE.
Also, have a look at the register_globals directive. If you rely on it,
you can never be sure of where your variable comes from.
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173875 is a reply to message #173872] |
Wed, 11 May 2011 11:49 |
Simon
Messages: 29
Registered: February 2011
Karma: 0
|
Junior Member |
|
|
On 5/11/2011 12:38 PM, Jerry Stuckle wrote:
>>
>> // get a proper MySQL connection for mysql_real_escape_string() to work.
>> ...
>> //
>> //
>> $data = 'H\hi'; // a random string that I want to save 'as is' in the
>> db. Note the 'escaped' character.
>>
>
> First of all, '\h' is not a valid escape character. If you actually want
> a backslash there, you need to use '\\h'. Using invalid character
> combinations leads to unpredictable results.
I never said I wanted to save \h as an escape character.
I want to save the string 'H\hi' as is, (as used in the date() function
for example).
>
>> //
>> // now try and save it to the db
>> //
>> // Stripslashes if need be
>> if (get_magic_quotes_gpc())
>> {
>> $data = stripslashes($data);
>> }
>>
>
> Why are you stripping slashes BEFORE storing the data?
> magic_quotes_gpc() affects data RETRIEVED from the database.
As per my original post, this is what the doc suggests.
http://php.net/manual/en/function.mysql-real-escape-string.php
"If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
Using this function on data which has already been escaped will escape
the data twice."
>
>> // escape
>> $data = mysql_real_escape_string($data);
>>
>> echo $data;
>> /////////////////////////////////////////////////////////////////////////// /
>>
>>
>>
>> You will see that the data has become 'Hhi', the '\' has been stripped,
>> and the data is no longer saved as expected.
>>
>
> As I would expect, as indicated above.
As indicated in my previous post this is what the doc says.
Unless I misunderstood the doc.
>>
>
> I never run with magic_quotes_gpc() on, and won't recommend a host who
> runs with it on. If they don't know enough to turn off something which
> has been deprecated for years, I'm not sure what else they are clueless
> about.
That's beside the point, but I agree.
Thanks
Simon
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173876 is a reply to message #173874] |
Wed, 11 May 2011 11:53 |
Simon
Messages: 29
Registered: February 2011
Karma: 0
|
Junior Member |
|
|
>
> If $data really comes from GET/POST/COOKIE and the original value is
> «H\hi», you should have «H\\hi».
So you saying that stripslashes(...) should be called on GET/POST/COOKIE
rather than on any data?
This certainly makes more sense to me, but the doc is not entirely clear
about that, or I am just not reading it properly.
>
> Inspect its value with var_dump() and make sure it's actually coming
> from $_GET, $_POST or $_COOKIE.
>
> Also, have a look at the register_globals directive. If you rely on it,
> you can never be sure of where your variable comes from.
>
>
Will do, thanks
Simon
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173884 is a reply to message #173876] |
Wed, 11 May 2011 14:13 |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
El 11/05/2011 13:53, Simon escribió/wrote:
>> If $data really comes from GET/POST/COOKIE and the original value is
>> «H\hi», you should have «H\\hi».
>
> So you saying that stripslashes(...) should be called on GET/POST/COOKIE
> rather than on any data?
>
> This certainly makes more sense to me, but the doc is not entirely clear
> about that, or I am just not reading it properly.
Well, yes, of course, that's what the "_gpc" suffix stands for:
«Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
magic_quotes are on, all ' (single-quote), " (double quote), \
(backslash) and NUL's are escaped with a backslash automatically.»
http://es.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
It was already bad enough that way :)
>> Inspect its value with var_dump() and make sure it's actually coming
>> from $_GET, $_POST or $_COOKIE.
>>
>> Also, have a look at the register_globals directive. If you rely on it,
>> you can never be sure of where your variable comes from.
>>
>>
>
> Will do, thanks
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173885 is a reply to message #173884] |
Wed, 11 May 2011 14:15 |
Simon
Messages: 29
Registered: February 2011
Karma: 0
|
Junior Member |
|
|
>
> Well, yes, of course, that's what the "_gpc" suffix stands for:
>
> «Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
> magic_quotes are on, all ' (single-quote), " (double quote), \
> (backslash) and NUL's are escaped with a backslash automatically.»
LOL, I never even thought of that.
It all makes sense now, thanks.
Simon
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173888 is a reply to message #173875] |
Wed, 11 May 2011 15:29 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 5/11/2011 7:49 AM, Simon wrote:
> On 5/11/2011 12:38 PM, Jerry Stuckle wrote:
>
>>>
>>> // get a proper MySQL connection for mysql_real_escape_string() to work.
>>> ...
>>> //
>>> //
>>> $data = 'H\hi'; // a random string that I want to save 'as is' in the
>>> db. Note the 'escaped' character.
>>>
>>
>> First of all, '\h' is not a valid escape character. If you actually want
>> a backslash there, you need to use '\\h'. Using invalid character
>> combinations leads to unpredictable results.
>
> I never said I wanted to save \h as an escape character.
> I want to save the string 'H\hi' as is, (as used in the date() function
> for example).
>
Then you must use 'h\\hi'. Backslash is an escape character.
>>
>>> //
>>> // now try and save it to the db
>>> //
>>> // Stripslashes if need be
>>> if (get_magic_quotes_gpc())
>>> {
>>> $data = stripslashes($data);
>>> }
>>>
>>
>> Why are you stripping slashes BEFORE storing the data?
>> magic_quotes_gpc() affects data RETRIEVED from the database.
>
>
> As per my original post, this is what the doc suggests.
>
> http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>
If the data has previously been escaped, yes. In your case, it has not.
>>
>>> // escape
>>> $data = mysql_real_escape_string($data);
>>>
>>> echo $data;
>>> /////////////////////////////////////////////////////////////////////////// /
>>>
>>>
>>>
>>>
>>> You will see that the data has become 'Hhi', the '\' has been stripped,
>>> and the data is no longer saved as expected.
>>>
>>
>> As I would expect, as indicated above.
>
> As indicated in my previous post this is what the doc says.
> Unless I misunderstood the doc.
>
You are misunderstanding the doc.
>>>
>>
>> I never run with magic_quotes_gpc() on, and won't recommend a host who
>> runs with it on. If they don't know enough to turn off something which
>> has been deprecated for years, I'm not sure what else they are clueless
>> about.
>
> That's beside the point, but I agree.
>
> Thanks
>
> Simon
Actually, it is a major point.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173939 is a reply to message #173888] |
Fri, 13 May 2011 19:25 |
Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
.oO(Jerry Stuckle)
> On 5/11/2011 7:49 AM, Simon wrote:
>>>
>>> Why are you stripping slashes BEFORE storing the data?
>>> magic_quotes_gpc() affects data RETRIEVED from the database.
>>
>> As per my original post, this is what the doc suggests.
>>
>> http://php.net/manual/en/function.mysql-real-escape-string.php
>>
>> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
>> Using this function on data which has already been escaped will escape
>> the data twice."
>
> If the data has previously been escaped, yes. In your case, it has not.
If magic quotes are enabled, then PHP will automatically escape his
incoming data. So calling stripslashes() on it before doing anything
else is the correct way to ensure you're working with the raw data.
After that you can apply the proper escaping as necessary.
Micha
|
|
|
|
| Re: magic_quotes_gpc() on or off? [message #173944 is a reply to message #173939] |
Fri, 13 May 2011 22:44 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 5/13/2011 3:25 PM, Michael Fesser wrote:
> .oO(Jerry Stuckle)
>
>> On 5/11/2011 7:49 AM, Simon wrote:
>>>>
>>>> Why are you stripping slashes BEFORE storing the data?
>>>> magic_quotes_gpc() affects data RETRIEVED from the database.
>>>
>>> As per my original post, this is what the doc suggests.
>>>
>>> http://php.net/manual/en/function.mysql-real-escape-string.php
>>>
>>> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
>>> Using this function on data which has already been escaped will escape
>>> the data twice."
>>
>> If the data has previously been escaped, yes. In your case, it has not.
>
> If magic quotes are enabled, then PHP will automatically escape his
> incoming data. So calling stripslashes() on it before doing anything
> else is the correct way to ensure you're working with the raw data.
> After that you can apply the proper escaping as necessary.
>
> Micha
True - IF the data is incoming. But there was no indication it was - in
fact, there was every indication it was not, because a properly escaped
PHP string will never contain something like 'H\hi'. '\h' is an invalid
character sequence.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]