FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176405 is a reply to message #176396] Mon, 02 January 2012 14:02 Go to previous messageGo to previous message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma:
Senior Member
On 12/30/2011 3:52 PM, Michael Joel wrote:
> On Fri, 30 Dec 2011 12:38:01 +0100, Erwin Moller
> <Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote:
>
>> On 12/30/2011 5:32 AM, Michael Joel wrote:
>>> On Thu, 29 Dec 2011 17:53:09 -0600, "Peter H. Coffin"
>>> <hellsop(at)ninehells(dot)com> wrote:
>>> .....SNIP...............................
>> Where do you think there are magically removed?
>>
>>> .....SNIP...............................
>
>
> from the book PHP and MYSQL: Web Development (Welling and Thomson).
> I tested this and it is true.
> slashes are added and removed automatically.
>
> I "imagine" when the vairiables post they are added then when you
> access the vars they are removed. In any case my tests to see shows
> the book is correct.
>
> As a later poster says though all this is being deprecated so it will
> become useless.
>
> Thanks
> Mike

Hi Mike,

I don't know this book, but is seems it did a very poor job explaining
the matter. I'll try to make it clearer.

This is what happens when you have magic_quotes on:

1) Your webserver presents a document with a form to a client.
Lets say it is named signup.html and it contains, amongst others, the
following:
<form action="signup_process.php" Method="post">
Your name: <input type="text" name="firstname" value="">
<input type="submit" value="Post it">
</form>

2) Somebody types in the above form the following:
Joe "hi' Jones
and sends it.

3) At the webserver signup_process.php is invoked.
The environment of PHP contains values in the superglobal $_POST array.
Here (and only here) magic_quotes comes into play.

$_POST["firstname"] contains *Joe "hi' Jones* when magic quotes are off.
$_POST["firstname"] contains *Joe \"hi\' Jones* when magic quotes are on.

(Outer ** added by me, they are not in the variable.)

The only reason those magic quotes were invented is because of the
following: If a lazy/sloppy programmer wanted to use these variables to
insert them into a database, (s)he would do the following:

$SQL =
"INSERT INTO tblusers (firstname) VALUES ('".$_POST["firstname"]."');";

And then execute that statement against some database:
somedb_execute($SQL);

That approach would work fine if the data didn't contain " or ' (and
other naughty characters. Naughty depends on the database in question).

So simply using the values from $_POST would make the receiving script
vulnerable to SQL injection.

A better way (but still not 100% safe) would be to first escape the
received string, like this:
$saferFirstName = addslashes($_POST["firstname"]);

That is why magic_quotes was "invented": It does this addslashes()
automatically for all data that is put into $_GET and $_POST and
$_COOKIE, in case you forget.

So the adding of slashes solves a few problems:
a) It makes it possible to use the character ' or " inside the query.
Note that ' and " are often used in SQL to delimit a string of
characters (for the database field types: text, char, etc).
b) It makes simple SQL injection impossible (Note the word 'simple').

When you read back from the database with the above example like:
SELECT firstname from tblusers;
You will neatly receive *Joe "hi' Jones* as is intended. The slashes are
gone because they were only used to tell the database that the next
character is escaped.
This behavior is probably the reason your book claims that the slashes
are removed, which isn't exactly correct. They were actually never
inserted into the database and only had their use to tell the database
to take the next character literally.

But it was a bad idea for several reasons. To name a few:
a) Escaping only ' and " isn't enough. Different databases have other
character(sequence)s that allow for unintended action when executed with
only addslashes().
b) It gives newbies a false sense of security. They might think
something like "I have those magic quotes on, so my application is safe
for SQL injection.", which it isn't.

Hope that helped. :-)
Make sure you understand the issues involved, or you will be bitten in
the back later.
It really helped me to understand it all by hacking my own applications.
It is worth your time, and many hacks and cracks you can read about on
the net make sense when you do it yourself.

Regards,
Erwin Moller

--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 22:36:20 GMT 2024

Total time taken to generate the page: 0.05049 seconds