Advanced Search

Results 1 to 7 of 7

Thread: should I turn off magic_quotes_gpc?

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,681
    Thanks
    78
    Thanked 89 Times in 87 Posts

    Default should I turn off magic_quotes_gpc?

    Since magic_quotes_gpc is deprecated should I turn it off? I didn't even know that it was on and when I read my php.ini file it was not even listed, so I figured I was not using it. When I checked my phpinfo I saw that it was on by default.
    Last edited by james438; 03-12-2010 at 05:42 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,621
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    short answer: yes.

    long answer: start reading.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  3. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,681
    Thanks
    78
    Thanked 89 Times in 87 Posts

    Default

    Good to know. magic_quotes_gpc has been turned off and I added the following code to my submit pages:
    PHP Code:
    foreach ($_POST as &$value)
    {
    $value=mysql_real_escape_string($value);
    }
    unset(
    $value); 
    I am not too terribly worried as I already had cookie, session, and htaccess security measures in place.
    To choose the lesser of two evils is still to choose evil. My personal site

  4. #4
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,621
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    your values only really need to be escaped when you're sending it to your database or plan on using them as executable code (like text files / html, which could include javascript, etc.).

    If you blindly escape everything, you're basically turning magic quotes back on. That's actually one of the problems with magic quotes: everything was escaped no matter what, so you end up with extra /s everywhere.

    On top of it, say you got some input from the user:
    Code:
    hello guy's!
    yes, the guy needs to learn how to use apostrophes, but it's good for my example.
    magic quotes sanitizes it:
    Code:
    hello guy/'s!
    but you've got server-side validation before you submit it to your database. So, say you make sure there's no html <tags>, then you submit it to your database. But wait, magic quotes again:
    Code:
    hello guy//'s!
    well, kinda defeats the point, huh?

    It's better to sanitize things once, intentionally, right when you need to.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  5. #5
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,154
    Thanks
    260
    Thanked 690 Times in 678 Posts

    Default

    It's the simple answer to a complex problem and thus the source of more problems than solutions.
    Turn it off and everything will be easier.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  6. #6
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,681
    Thanks
    78
    Thanked 89 Times in 87 Posts

    Default

    yep, I also see that my earlier "quick fix"
    PHP Code:
    foreach ($_POST as &$value
    {
    $value=mysql_real_escape_string($value); 

    unset(
    $value); 
    is somewhat problematic, so I am escaping my variables one at a time just before inserting them into my database as opposed to at the beginning of my submit page. I also need to update my PCRE as well. This means I have a couple hours of file editing as opposed to the few minutes my quick fix took earlier.

    I'd say the biggest reason I turned it off was because is deprecated and I never know when my web host will update PHP to the latest version.
    To choose the lesser of two evils is still to choose evil. My personal site

  7. #7
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,621
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    It's deprecated, but AKAIK its still "available," so don't worry about that too much. (You should still turn it off and do things right.)
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •