Jump to content



Recommended Posts

Ok my script checks if GPC is enabled and adds slashes if needs be. But for some reason I occasionally receive MySQL error emails where the post contains a ' which then breaks the query since I put the message in between single quotes. Any ideas?


>	  if (!get_magic_quotes_gpc())
	 $this->name = addslashes($this->name);
	 $this->location = addslashes($this->location);
	 $this->aim = addslashes($this->aim);
	 $this->msn = addslashes($this->msn);
	 $this->yahoo = addslashes($this->yahoo);
	 $this->skype = addslashes($this->skype);
	 $this->email = addslashes($this->email);
	 $this->url = addslashes($this->url);
	 $this->comment = addslashes($this->comment);
	 $this->gender = addslashes($this->gender);


Just to show that I am checking and adding slashes as needed.

Link to comment
Share on other sites

A few points to keep in mind:


1. GPC is deprecated and will be removed in PHP 6 ( http://us.php.net/manual/en/info.configura...agic-quotes-gpc )


2. GPC should not be relied upon to properly escape values intended for insertion into a Database. It was a kludge added to make string escaping easy and results in far too many XSS attacks. Instead, use one of the following methods.


3. If using the regular MySQL PHP Extension, use the mysql_real_escape_string function ( http://us.php.net/manual/en/function.mysql...cape-string.php ). This function allows you to take into consideration character sets ( which GPC nor mysql_escape_string do not).


4. If using the MySQLi PHP Extension, use Prepared ( http://us.php.net/manual/en/mysqli.prepare.php ) statements.


There is a mysqi_real_escape_string function, but really one should learn how to use Prepared Statements. Or even better, use a Database Abstraction library such as the excellent ADODB ( http://adodb.sourceforge.net/ ).

Link to comment
Share on other sites

I only check if GPC is on and then addslashes as required or rather Advanced Guestbook did and I never saw any reason to change it. Does mysql_real_escape_string automatically check if the string is already slashed?


BTW that doesn't really answer the question of why it doesn't always work.



<edit>Actually whilst magic_quotes_gpc is deprecated get_magic_quotes_gpc is not</edit>

Edited by carbonize
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...