Jump to content

Recommended Posts

Posted

Ok my script checks if GPC is enabled and adds slashes if needs be. But for some reason I occasionally receive MySQL error emails where the post contains a ' which then breaks the query since I put the message in between single quotes. Any ideas?

 

>	  if (!get_magic_quotes_gpc())
  {
	 $this->name = addslashes($this->name);
	 $this->location = addslashes($this->location);
	 $this->aim = addslashes($this->aim);
	 $this->msn = addslashes($this->msn);
	 $this->yahoo = addslashes($this->yahoo);
	 $this->skype = addslashes($this->skype);
	 $this->email = addslashes($this->email);
	 $this->url = addslashes($this->url);
	 $this->comment = addslashes($this->comment);
	 $this->gender = addslashes($this->gender);
  }

 

Just to show that I am checking and adding slashes as needed.

Posted

A few points to keep in mind:

 

1. GPC is deprecated and will be removed in PHP 6 ( http://us.php.net/manual/en/info.configura...agic-quotes-gpc )

 

2. GPC should not be relied upon to properly escape values intended for insertion into a Database. It was a kludge added to make string escaping easy and results in far too many XSS attacks. Instead, use one of the following methods.

 

3. If using the regular MySQL PHP Extension, use the mysql_real_escape_string function ( http://us.php.net/manual/en/function.mysql...cape-string.php ). This function allows you to take into consideration character sets ( which GPC nor mysql_escape_string do not).

 

4. If using the MySQLi PHP Extension, use Prepared ( http://us.php.net/manual/en/mysqli.prepare.php ) statements.

 

There is a mysqi_real_escape_string function, but really one should learn how to use Prepared Statements. Or even better, use a Database Abstraction library such as the excellent ADODB ( http://adodb.sourceforge.net/ ).

Posted (edited)

I only check if GPC is on and then addslashes as required or rather Advanced Guestbook did and I never saw any reason to change it. Does mysql_real_escape_string automatically check if the string is already slashed?

 

BTW that doesn't really answer the question of why it doesn't always work.

 

 

<edit>Actually whilst magic_quotes_gpc is deprecated get_magic_quotes_gpc is not</edit>

Edited by carbonize
Posted

I switched to the mysql_real_escape_string method and it seems to have fixed things. Doesn't answer the question as to why the server has started to say get_magic_quotes_gpc is true and yet not be adding slashes to the submitted data.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...