Help needed with Magic Quotes

Forum Moderators: coopster

Message Too Old, No Replies

Help needed with Magic Quotes

when should field be stripped?

Tourex

9:02 am on Aug 25, 2005 (gmt 0)

Sorry, I know this is really basic, but I confess as a newbie to PHP its beating me.

magic_quotes_gpc is enabled on my server.

I'm having a real problem figuring out when I need to addslashes or stripslashes. Do I do it when 'receiving' the form? Or do I do it when inserting the data into the database (mySQL)? Or do I do both?

What about magic_quotes-runtime? I gather this applies the magic quotes to 'external files and databases'. So what is an 'external' file or database? My MySQL database is on the same server. For a consistant/easier approach, would it be better to have runtime enabled?

I can get to grips with most things pretty easy, but this one has just left me totally confused. Hopefully somebody can take the trouble to explain in very simple language, or point me to a really good and simple article on the subject.

Thanks.

dreamcatcher

10:18 am on Aug 25, 2005 (gmt 0)

Hi Tourex,

If magic quotes are ON, slashes are automatically added to GET,POST or COOKIE data. If they are OFF, then you need to add slashes if posting to a database. To test you can use something like this:

if (get_magic_quotes_gpc())
{
$data = addslashes($data);
}

Likewise with stripslashes, use it if the magic quotes are on. If they are off, slashes won`t be escaped, so you don`t need it.

If you are adding information to a database, some problematic quotes need to be escaped or else the query will fail. You can use addslashes or one of the sql commands. ie: mysql_escape_string or mysql_real_escape_string.

magic_quotes runtime refers to data going to or from a database. You can set this to off if you want by using the following:

set_magic_quotes_runtime(0);

You place this at the top of your script. If you switch it off you must use syntax to strip the slashes. Script developers switch this off when coding so that their code works either way. Keeps things simple.

For more information see the following:

[docs.php.net...]

Tourex

10:43 am on Aug 25, 2005 (gmt 0)

Thanks Dreamcatcher

What I can't figure is why gpc is set on by default and runtime off. This just seems to give an inconsistent approach to me. Surely if you are using/relying on Magic Quotes, its better to have both on, or both off? Or am I missing something?

dreamcatcher

12:00 pm on Aug 25, 2005 (gmt 0)

I would imagine its because most problems are encountered when posting form data to a database. Not sure really.