A community in which webmasters can ask for help with topics such as PHP coding , MySQL , IT jobs, web design, IT security.
Current location:homephp forumphp talk in 2008 yearWork around magic quotes, or just make sure they're off? - page 1
User InfoPosts
Work around magic quotes, or just make sure they're off?#1
Is it worth changing my code to be "more portable" and able to deal with the horror of magic quotes, or should I just make sure that it's always off via a .htaccess file?

if (get_magic_quotes_gpc()) {
$var = stripslashes($_POST['var']);
} else {
$var = $_POST['var'];
}


Versus

php_flag magic_quotes_gpc off

posted date: 2008-12-15 17:57:00


Re: Work around magic quotes, or just make sure they're off?#2
I had made out the solution of this problem. click to view my topic...

hope that hepls.

posted date: 2008-12-15 17:57:01


Re: Work around magic quotes, or just make sure they're off?#3
I would make sure it's off if that's possible (requires access to .htaccess or apache configuration). It's better to avoid it altogether than stripping it's behavior which requires more resources and is prone to bugs.If disabling it is not an option, your example code could be useful for the input superglobals ($_GET,$_POST,...) but make sure not to apply it on data arriving from sources other than those supergloabls. Such misuse is pretty common. Just make sure that when turning magic_quotes_gpc() off to have a proper escaping mechanism in place to protect you from SQL inkection (such as mysql_real_escape_string() or PDO prepared statements). You can read more on SQL injection prevention - here.

posted date: 2008-12-15 18:03:00


Re: Work around magic quotes, or just make sure they're off?#4
i've changed that code now - i'd normally do what you said, but this was just a copy and paste job gone wrong. :)

posted date: 2008-12-15 18:11:00


Re: Work around magic quotes, or just make sure they're off?#5
I've modified my answer to suit your changes ;)

posted date: 2008-12-15 18:22:00


Re: Work around magic quotes, or just make sure they're off?#6
why are you using mysql_real_escape_string, instead of PDO?

posted date: 2008-12-15 18:46:00


Re: Work around magic quotes, or just make sure they're off?#7
I would check the setting using get_magic_quotes_gpc() and do a big noisy exit with error. In the error inform the administrator of the proper setting.

posted date: 2008-12-15 18:48:00


Re: Work around magic quotes, or just make sure they're off?#8
Don't accommodate both situations. Two code paths = twice the headaches, plus there's a good chance you'll slip up and forget to handle both situations somewhere.I used to check if magic quotes were on or off, and if they were on, undo their magic (as others in the thread have suggested). The problem with this is, you're changing the configured environment (no matter how stupid) that another programmer may expect. These days I write code as though magic quotes are off, and in my main include/bootstrap/always-runs file I check if magic quotes are on or off. If they're on I throw an Exception that explains why this is a bad thing, and provide instructions on how they can be turned off. This approach allows you to code to a single behavior, encourages other folks using your code to configure their servers correctly (magic quotes is going away in PHP 6), and if someone really needs magic quotes on they can handle your exception and take their lives into their own hands.

posted date: 2008-12-15 18:53:00


Re: Work around magic quotes, or just make sure they're off?#9
On more of a side note php 6 won't be supporting them anymore. So writting the code for them off may be beneficial in the future.

posted date: 2008-12-15 18:56:00


Re: Work around magic quotes, or just make sure they're off?#10
There are some situations when you can't modify administrator settings (e.g. when using a remote, cheap/free host).

posted date: 2008-12-15 19:09:00


Re: Work around magic quotes, or just make sure they're off?#11
Nice reason (other than magic quotes being pure evil).

posted date: 2008-12-15 19:10:00


Re: Work around magic quotes, or just make sure they're off?#12
SQL injections aren't relevent to the question at all, only magic quotes. I suggest you remove that paragraph to prevent some confusion.

posted date: 2008-12-15 19:12:00


select page: « 1 2 »
Copyright ©2008-2017 www.momige.com, all rights reserved.