Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15
  1. #11
    Join Date
    Apr 2004
    Location
    Nr London, UK
    Posts
    831
    Just to be more clear on what i meant:

    check out: http://uk.php.net/manual/en/function...quotes-gpc.php

    at the bottom there are things which may help you, by checking get_magic_quotes_gpc() and then depending on what that returns run your code.

  2. #12
    Join Date
    Jun 2008
    Posts
    9
    magic_quotes_gpc is on. I tried turning it off in my php.ini file and that didn't go so well. Fortunately I was able to get everything back hours later. So I have been able to somewhat solve this problem. The odd part is that it is working perfectly in text areas and not in text fields. I have just purchased a php book and hope to make more sense out of all of this soon.

    Thank you again for all your help MartinCo!

  3. #13
    Join Date
    Apr 2004
    Location
    Nr London, UK
    Posts
    831
    magic quotes is depreciated and removed in PHP 6 - so it IS important you understand its usage and hwo to sanitize all your input (gpc = GET POST COOKIE) variables.

    also disable register_globals if its on - it does default to off from PHP 4.2.0, but again will be removed in PHP 6

    Code:
    if (!get_magic_quotes_gpc()) {
      //run some nice code here to strip it all out
    }

  4. #14
    Join Date
    Mar 2006
    Location
    South Australia
    Posts
    4,521
    Here is something I coded yesterday but haven't had a chance to test yet:

    Code:
    /**
     * Makes a value/array of values safe for passing to mysql.
     */
    function sanitiseInput($input)
    {
            if (is_array($input))
            {
                    $size = count($input);
                    for ($i=0;$i< $size; $i++)
                    {
                            if (get_magic_quotes_gpc() == 1)
                            {
                                    $input[$i] = stripslashes($input[$i]);
                            }
    
                            $input[$i] = mysql_real_escape_string($input[$i]);
                    }
            }
            else 
            {
                    if (get_magic_quotes_gpc() == 1)
                    {
                            $input = stripslashes($input);
                    }
    
                    $input = mysql_real_escape_string($input);
            }
    
            return $input;
    }
    Untested, but gives you an idea.

    EDIT: ERRARA

    As the kind folks in IRC have pointed out:

    a) array_map could be used instead of the for loop
    b) mysql_real_escape_string relies on having an active database connection for it to work
    c) I need to brush up on some of the finer details of PHP again
    d) This function should never be called. Ever.
    Last edited by mr_charisma; 10-12-2008 at 04:33 AM.

  5. #15
    Join Date
    Dec 2008
    Posts
    2
    There is another attack out there that mysql_real_escape_string or addslashes will fail to prevent, and that is the like attack. If your familiar with searching a MySQL database, you should know how to use LIKE % in your query.

    To prevent it, use addcslashes to strip out the % and underscore signs. Underscores sometimes are apart of a post or content, but the LIKE attack is becoming more popular.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •