Hi all: I have been programming in PHP for quite some time. I can understand the confusion about magic_quotes, the situation is a tricky one. from the manual: magic_quotes_gpc boolean Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash. magic_quotes_runtime boolean If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash. So this statement "Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL statements to dbs I think you need to initialize magic_quotes_runtime for the addslashes() default." is partially incorrect. If you are INSERTing or UPDATEing to a database from a GET or POST operation and magic_quotes_gpc is on, then the data is already safe to put in the db. However, if you are SELECTing from a database, the data retrieved may not be safe unless magic_quotes_runtime is on (or you do an addslashes() on it). magic_quotes_runtime is easy to turn on/off - just use set_magic_quotes_runtime(0 for off, 1 for on). magic_quotes_gpc is a different story, however. "GPC means GET/POST/COOKIE which is actually EGPCS these days (Environment, GET, POST, Cookie, Server). This cannot be turned off in your script because it operates on the data before your script is called. You can check if it is on using that function and treat the data accordingly." --Rasmus Lerdorf, from the php-general mailing list If you are unsure of how your service provider has PHP set up, you can check the output of get_magic_quotes_gpc(). Something like this at the top of each script should be sufficient: <?php if(!get_magic_quotes_gpc()) { for (reset($HTTP_GET_VARS); list($k, $v) = each($HTTP_GET_VARS); ) $$k = addslashes($v); for (reset($HTTP_POST_VARS); list($k, $v) = each($HTTP_POST_VARS); ) $$k = addslashes($v); for (reset($HTTP_COOKIE_VARS); list($k, $v) = each($HTTP_COOKIE_VARS); ) $$k = addslashes($v); } ?> This will make sure all GPC data in your script is safe. If your service provider allows you to have customized .htaccess file(s), placing this line php_value magic_quotes_gpc 1 in the file will ensure magic_quotes_gpc is turned on (or off). Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon). <?php error_reporting(E_ALL); ?> This line at the top of your script(s) will do the trick. It would be advisable to remove it before you put the script(s) on a production server, however. Ben Gollmer On Saturday, June 2, 2001, at 06:37 AM, Gunther Birznieks wrote: > > The problem with magic_quotes_gpc is that it is a global variable in > PHP. Many sysadmins turn it off because they may be using a program > that requires them not to be escaped. At least I understand this from a > talk on advanced PHP techniques someone gave at ApacheCon a few months > ago. > > Unfortunately, I don't think magic_quotes_runtime is on by default if > it does what you say. The manual says it affects DB routines that > return data which implies it affects data returned, it doesn't mention > anything about the DB routines that only accept input parameters and > never return anything. > > Maybe someone with more PHP experience and a handy PHP engine could > verify this. > > Many of the books that I have seen on PHP *assume* when they teach > programmers that magic_quotes_gpc is ON in their security model > because this is how PHP is set up by default. > > Unfortunately, this is not the truth and I can only imagine that there > must be many PHP scripts out there that also follow this assumption -- > because the people who write the code are probably reading these books > and learning to code that way. > __________________________ > Gunther Birznieks (gunther.birznieksat_private) > eXtropia - The Open Web Technology Company > http://www.eXtropia.com/
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 18:52:04 PDT