FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176397 is a reply to message #176395] Fri, 30 December 2011 14:52 Go to previous messageGo to previous message
Michael Joel is currently offline  Michael Joel
Messages: 42
Registered: October 2011
Karma:
Member
On Fri, 30 Dec 2011 14:42:43 +0100, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote:

> On 12/29/2011 9:55 PM, Michael Joel wrote:
>> I do not have control of my server (shared server).
>>
>> echo get_magic_quotes_gpc(); returns True.
>> Should I still be cautious and use addslashes/stripslashes in case the
>> hosting company ever decides to change the settings?
>>
>> Thanks
>> Mike
>
> Hi Mike,
>
> To sum up all the responses so far:
> 1) Avoid all use of magic_quotes in your code. Do not rely on it.
> 2) If you want your programs to be prepared for magic_quotes, as in
> older shared hosting environments like yours, write a small function to
> wrap the test in, like:
>
> function getRawGPCValue($someGPCStr){
> if (get_magic_quotes_gpc() === 1){
> return stripslashes($someGPCStr);
> } else {
> return $someGPCStr;
> }
> }
>
> And then when you need a value from $_POST, simply do:
> $firstName = getRawGPCValue($_POST("firstname"));
>
> You might want to use a shorter functionname. ;-)
>
>
> 3) When you need to use the value from sources like GPC, simply do the
> right thing with the *raw* data.
>
> For example:
> a) When you expect an integer, don't mind the escaping, simply cast it
> to integer:
> $userid = (int)$_POST["userid"];
> (You might want to add additional checks of course, like rnage of the
> number, if $_POST["userid"] is set at all, etc.)
>
> b) When you want to output it to HTML:
> $firstName = getRawGPCValue($_POST("firstname"));
> echo htmlentities($firstName);
> For more details like charset/encoding read here:
> http://nl3.php.net/manual/en/function.htmlentities.php
>
> c) When you want to insert characterdata into your database:
> Use the right escape function suitable for your database, or use
> something like PDO.
> eg: mysql_real_escape_string() for mysql
> pg_escape_literal() for Postgres.
> etc.
>
> d) When using in an URL, url encode the raw data.
>
>
> etc. etc. etc.
>
>
> Bottomline: Make sure you have the raw (real) data, and use the
> appropriate approach before using.
> There is no "magic" solution that solves all possible situations,
> despite names like "magic_quotes".
> Escaping of strings works differently for URLs, HTML, databaseX, databaseY,
>
> Tip:
> When the encoding of some string is different than for example the
> receiving database, have a look at iconv. It saved me a few headaches.
> http://nl3.php.net/manual/en/function.iconv.php
>
> Good luck!
>
> regards,
> Erwin Moller


Thanks - and thanks all.
This is a lot of information. I plan to go back and adjust the code to
comply better.

Thanks again
Mike
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 23:04:29 GMT 2024

Total time taken to generate the page: 0.03176 seconds