Global Moderator
should I turn off magic_quotes_gpc?
Since magic_quotes_gpc is deprecated should I turn it off? I didn't even know that it was on and when I read my php.ini file it was not even listed, so I figured I was not using it. When I checked my phpinfo I saw that it was on by default.
Last edited by james438; 03-12-2010 at 06:42 AM.
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
Global Moderator
Good to know. magic_quotes_gpc has been turned off and I added the following code to my submit pages:
I am not too terribly worried as I already had cookie, session, and htaccess security measures in place.PHP Code:foreach ($_POST as &$value)
{$value=mysql_real_escape_string($value);
}
unset($value);
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
your values only really need to be escaped when you're sending it to your database or plan on using them as executable code (like text files / html, which could include javascript, etc.).
If you blindly escape everything, you're basically turning magic quotes back on. That's actually one of the problems with magic quotes: everything was escaped no matter what, so you end up with extra /s everywhere.
On top of it, say you got some input from the user:
yes, the guy needs to learn how to use apostrophes, but it's good for my example.Code:hello guy's!
magic quotes sanitizes it:
but you've got server-side validation before you submit it to your database. So, say you make sure there's no html <tags>, then you submit it to your database. But wait, magic quotes again:Code:hello guy/'s!
well, kinda defeats the point, huh?Code:hello guy//'s!
It's better to sanitize things once, intentionally, right when you need to.
Global Moderator
It's the simple answer to a complex problem and thus the source of more problems than solutions.
Turn it off and everything will be easier.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
Global Moderator
yep, I also see that my earlier "quick fix"
is somewhat problematic, so I am escaping my variables one at a time just before inserting them into my database as opposed to at the beginning of my submit page. I also need to update my PCRE as well. This means I have a couple hours of file editing as opposed to the few minutes my quick fix took earlier.PHP Code:foreach ($_POST as &$value)
{$value=mysql_real_escape_string($value);
}
unset($value);
I'd say the biggest reason I turned it off was because is deprecated and I never know when my web host will update PHP to the latest version.
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
It's deprecated, but AKAIK its still "available," so don't worry about that too much. (You should still turn it off and do things right.)
Posting Permissions
Reply With Quote
Bookmarks