User Submitted Data
most of the user contributed code related to stripping magic quotes posted could open vulnerabilities in your scripts as mentioned with a better sollution at:
http://talks.php.net/show/php-best-practices/26
it supprises me that this link has not been previously referenced.
Magic Quotes
Table of Contents
Warning
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
add a note
User Contributed NotesMagic Quotes
php at danielknell dot co dot uk
29-Oct-2007 08:03
29-Oct-2007 08:03
Shaun
22-Oct-2007 04:49
22-Oct-2007 04:49
In my tests with $_FILE, I found that file uploading didn't work when it was included in the function (Confirmed on Windows, not Apache.)
The problem caused is: It removes the trailing / from what I have the tmp directory defined as.
So: When PHP tries to move a tmp file using move_uploaded_file, it's trying to move tmpxxxx.tmp
Whereas it should be trying to move: tmp/xxxx.tmp
In conclusion:
I found it easiest just to leave the $_FILES array alone.
$_FILES works differently than $_POST anyway. It outputs an error if the file is invalid, so I'm not sure how someone could inject bad code into the field.
If anyone else can check this problem on a Linux/Unix server, that would be great.
judas dot iscariote at gmail dot com
08-Mar-2006 01:33
08-Mar-2006 01:33
Just for the record. this feature has been removed as of PHP6.
now PHP works always like if magic_quotes_gpc Off.
get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.
this is great news, magic_quotes were a big annoyance.
27-Feb-2006 05:11
Using the .htaccess file may not always be possible for instance if you are running php on a windows IIS server.
Also the code by jfrim at idirect dot com doesn't actually fix the problem as it is stripping slashes, what you need to do is addslashes to things coming in.
the code by jfrim at idirect dot com is the right idea though although rather than saying stripslashes, you simply need to say addslashes and it should work.
edward at example dot com
07-Feb-2006 06:55
07-Feb-2006 06:55
All the code listed on this page is not necessary if you use the php_flag directive in a .htaccess file. This allows you to disable magic quotes completely, without the need to adjust your php.ini file or (re)process the user's input.
Just take a look at http://www.php.net/manual/en/security.magicquotes.php#55935
Gist of his note: in the .htaccess file, add a line
php_flag magic_quotes_gpc off
That's it. Thank you very much, richard dot spindler :) !
06-Dec-2005 08:09
You should try to avoid magic_quotes in all its flavors, use add_slashes() and strip_slashes() instead with user input and you will save time and avoid common problems that come along.
You should know also that if your server has php suexec enabled you won't be able use php_flag in .htaccess file to change php values like magic_quotes or register_globals. In this case you might wanna try creating a php.ini file on the same directory as your script and add something like this:
magic_quotes_runtime=off
magic_quotes_gpc=off
magic_quotes_sybase=off
register_globals=on ; only as an example
----
Mel
http://www.webhostingjournal.net/
richard dot spindler at gmail dot com
18-Aug-2005 03:59
18-Aug-2005 03:59
to turn of magic quotes put the following line into the .htaccess file:
php_flag magic_quotes_gpc off
16-Jul-2005 09:44
Bright minds will have noticed, that one uses stripslashes() once on the input and saves that content for further processing. Then use addslashes() once before sending the content to the database or flat file.
Hint: if the application is using a MySql database, don't use addslashes() but mysql_real_escape_string().
nitrous at fuckoff dot com
26-Jan-2005 01:01
26-Jan-2005 01:01
This "feature" is the cause of so many escaping problems. It's very important to understand the implications of what magic quotes really do.
Nearly every call, except those being written directly to the database, using user submitted data will require a call to strip_slashes. It gets very ugly very fast.
What should be done is proper escaping of shell parameters and database parameters. PHP provides several escaping functions intended for this purpose. Slashes alone don't cut it anyway.