carbonize Posted November 15, 2008 Posted November 15, 2008 Ok my script checks if GPC is enabled and adds slashes if needs be. But for some reason I occasionally receive MySQL error emails where the post contains a ' which then breaks the query since I put the message in between single quotes. Any ideas? > if (!get_magic_quotes_gpc()) { $this->name = addslashes($this->name); $this->location = addslashes($this->location); $this->aim = addslashes($this->aim); $this->msn = addslashes($this->msn); $this->yahoo = addslashes($this->yahoo); $this->skype = addslashes($this->skype); $this->email = addslashes($this->email); $this->url = addslashes($this->url); $this->comment = addslashes($this->comment); $this->gender = addslashes($this->gender); } Just to show that I am checking and adding slashes as needed. Quote
telcor Posted November 18, 2008 Posted November 18, 2008 A few points to keep in mind: 1. GPC is deprecated and will be removed in PHP 6 ( http://us.php.net/manual/en/info.configura...agic-quotes-gpc ) 2. GPC should not be relied upon to properly escape values intended for insertion into a Database. It was a kludge added to make string escaping easy and results in far too many XSS attacks. Instead, use one of the following methods. 3. If using the regular MySQL PHP Extension, use the mysql_real_escape_string function ( http://us.php.net/manual/en/function.mysql...cape-string.php ). This function allows you to take into consideration character sets ( which GPC nor mysql_escape_string do not). 4. If using the MySQLi PHP Extension, use Prepared ( http://us.php.net/manual/en/mysqli.prepare.php ) statements. There is a mysqi_real_escape_string function, but really one should learn how to use Prepared Statements. Or even better, use a Database Abstraction library such as the excellent ADODB ( http://adodb.sourceforge.net/ ). Quote
carbonize Posted November 18, 2008 Author Posted November 18, 2008 (edited) I only check if GPC is on and then addslashes as required or rather Advanced Guestbook did and I never saw any reason to change it. Does mysql_real_escape_string automatically check if the string is already slashed? BTW that doesn't really answer the question of why it doesn't always work. <edit>Actually whilst magic_quotes_gpc is deprecated get_magic_quotes_gpc is not</edit> Edited November 18, 2008 by carbonize Quote
carbonize Posted November 18, 2008 Author Posted November 18, 2008 I switched to the mysql_real_escape_string method and it seems to have fixed things. Doesn't answer the question as to why the server has started to say get_magic_quotes_gpc is true and yet not be adding slashes to the submitted data. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.