Results 1 to 7 of 7

Thread: should I turn off magic_quotes_gpc?

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,729
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default should I turn off magic_quotes_gpc?

    Since magic_quotes_gpc is deprecated should I turn it off? I didn't even know that it was on and when I read my php.ini file it was not even listed, so I figured I was not using it. When I checked my phpinfo I saw that it was on by default.
    Last edited by james438; 03-12-2010 at 05:42 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

  3. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,729
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    Good to know. magic_quotes_gpc has been turned off and I added the following code to my submit pages:
    PHP Code:
    foreach ($_POST as &$value)
    {
    $value=mysql_real_escape_string($value);
    }
    unset(
    $value); 
    I am not too terribly worried as I already had cookie, session, and htaccess security measures in place.
    To choose the lesser of two evils is still to choose evil. My personal site

  4. #4
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    your values only really need to be escaped when you're sending it to your database or plan on using them as executable code (like text files / html, which could include javascript, etc.).

    If you blindly escape everything, you're basically turning magic quotes back on. That's actually one of the problems with magic quotes: everything was escaped no matter what, so you end up with extra /s everywhere.

    On top of it, say you got some input from the user:
    Code:
    hello guy's!
    yes, the guy needs to learn how to use apostrophes, but it's good for my example.
    magic quotes sanitizes it:
    Code:
    hello guy/'s!
    but you've got server-side validation before you submit it to your database. So, say you make sure there's no html <tags>, then you submit it to your database. But wait, magic quotes again:
    Code:
    hello guy//'s!
    well, kinda defeats the point, huh?

    It's better to sanitize things once, intentionally, right when you need to.

  5. #5
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    It's the simple answer to a complex problem and thus the source of more problems than solutions.
    Turn it off and everything will be easier.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  6. #6
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,729
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    yep, I also see that my earlier "quick fix"
    PHP Code:
    foreach ($_POST as &$value
    {
    $value=mysql_real_escape_string($value); 

    unset(
    $value); 
    is somewhat problematic, so I am escaping my variables one at a time just before inserting them into my database as opposed to at the beginning of my submit page. I also need to update my PCRE as well. This means I have a couple hours of file editing as opposed to the few minutes my quick fix took earlier.

    I'd say the biggest reason I turned it off was because is deprecated and I never know when my web host will update PHP to the latest version.
    To choose the lesser of two evils is still to choose evil. My personal site

  7. #7
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    It's deprecated, but AKAIK its still "available," so don't worry about that too much. (You should still turn it off and do things right.)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •