FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176395 is a reply to message #176378] Fri, 30 December 2011 13:42 Go to previous messageGo to previous message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma:
Senior Member
On 12/29/2011 9:55 PM, Michael Joel wrote:
> I do not have control of my server (shared server).
>
> echo get_magic_quotes_gpc(); returns True.
> Should I still be cautious and use addslashes/stripslashes in case the
> hosting company ever decides to change the settings?
>
> Thanks
> Mike

Hi Mike,

To sum up all the responses so far:
1) Avoid all use of magic_quotes in your code. Do not rely on it.
2) If you want your programs to be prepared for magic_quotes, as in
older shared hosting environments like yours, write a small function to
wrap the test in, like:

function getRawGPCValue($someGPCStr){
if (get_magic_quotes_gpc() === 1){
return stripslashes($someGPCStr);
} else {
return $someGPCStr;
}
}

And then when you need a value from $_POST, simply do:
$firstName = getRawGPCValue($_POST("firstname"));

You might want to use a shorter functionname. ;-)


3) When you need to use the value from sources like GPC, simply do the
right thing with the *raw* data.

For example:
a) When you expect an integer, don't mind the escaping, simply cast it
to integer:
$userid = (int)$_POST["userid"];
(You might want to add additional checks of course, like rnage of the
number, if $_POST["userid"] is set at all, etc.)

b) When you want to output it to HTML:
$firstName = getRawGPCValue($_POST("firstname"));
echo htmlentities($firstName);
For more details like charset/encoding read here:
http://nl3.php.net/manual/en/function.htmlentities.php

c) When you want to insert characterdata into your database:
Use the right escape function suitable for your database, or use
something like PDO.
eg: mysql_real_escape_string() for mysql
pg_escape_literal() for Postgres.
etc.

d) When using in an URL, url encode the raw data.


etc. etc. etc.


Bottomline: Make sure you have the raw (real) data, and use the
appropriate approach before using.
There is no "magic" solution that solves all possible situations,
despite names like "magic_quotes".
Escaping of strings works differently for URLs, HTML, databaseX, databaseY,

Tip:
When the encoding of some string is different than for example the
receiving database, have a look at iconv. It saved me a few headaches.
http://nl3.php.net/manual/en/function.iconv.php

Good luck!

regards,
Erwin Moller


--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 22:35:28 GMT 2024

Total time taken to generate the page: 0.24597 seconds