Re: magic_quotes_gpc() on or off? [message #173874 is a reply to message #173868] |
Wed, 11 May 2011 10:45 |
alvaro.NOSPAMTHANX
Messages: 277 Registered: September 2010
Karma:
|
Senior Member |
|
|
El 11/05/2011 9:28, Simon escribió/wrote:
> On my dev machine(s) I have:
> magic_quotes_gpc = Off and magic_quotes_runtime = Off
>
> as far as I understand this is the 'preferred' settings when it comes to
> magic quotes.
Certainly. It makes everything easier, as you've already found out.
> On the live machine I see that the values are:
>
> magic_quotes_gpc = On and magic_quotes_runtime = Off
>
> I think this is a throw back of upgrading from 4.x to 5.x many moons
> ago, (the value should not be set as per
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).
>
> But as a point of interest, this causes a problem when I try to save
> data in the database.
> According to http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>
> so if I have:
>
> /////////////////////////////////////////////////////////////////////////// /
>
>
> // get a proper MySQL connection for mysql_real_escape_string() to work.
> ...
> //
> //
> $data = 'H\hi'; // a random string that I want to save 'as is' in the
> db. Note the 'escaped' character.
>
> //
> // now try and save it to the db
> //
> // Stripslashes if need be
> if (get_magic_quotes_gpc())
> {
> $data = stripslashes($data);
> }
>
> // escape
> $data = mysql_real_escape_string($data);
>
> echo $data;
> /////////////////////////////////////////////////////////////////////////// /
>
>
> You will see that the data has become 'Hhi', the '\' has been stripped,
> and the data is no longer saved as expected.
>
> If I turn magic_quotes_gpc=off this is a moot point.
> But I was wondering how you could get it to work with magic_quotes_gpc=On
>
> Any suggestions? comments?
If $data really comes from GET/POST/COOKIE and the original value is
«H\hi», you should have «H\\hi».
Inspect its value with var_dump() and make sure it's actually coming
from $_GET, $_POST or $_COOKIE.
Also, have a look at the register_globals directive. If you rely on it,
you can never be sure of where your variable comes from.
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|