473,614 Members | 2,335 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

escaping before inserts - get_magic_quote s_gpc


Folks,

This questions is directed towards PHP/MySQL folk and relates to escaping
hooks, apostraphe's and other characters that can create a security hole
when writing to databases/files. I've been reading
http://ca2.php.net/manual/en/functio...quotes-gpc.php and just need
to confirm a couple of things:

If I have magic_quotes_gp c on, and I use addslashes() - Does this in effect
cause me to take security one step forward, and then back again? I mean, if
magic_quotes_gp c is on, it will escape all my data before writing it to the
database - But if I also use addslashes() will it not escape the escapes put
in by magic_quotes_gp c?

When I perform a SELECT at the moment, the data that contains special
characters is being returned with a backslash... This is wrong, correct?
Because a properly escaped character should be stored without the backslash,
true? Thus this means my quotes, or double quotes should be stored in my
table, and the quotes should not be preceeded by the backslash character as
part of the returned string from my SELECT.

How can I test that I am storing my data properly? (Thus, how can I perform
a friendly attack on my database through my client HTML forms). I've tried
`/bin/ls -l > /tmp/rd1` but this does not create a temp file in my temp
directory - Thus, does this mean I have myself secure against this sort of
common hack attack?

All help, via the newsgroup, is much appreciated,
Thanks
Randell D.
Jul 17 '05 #1
0 1979

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
0
1163
get_magic_quotes_gpc() in PHP problem ?
by: Hal Halloway | last post by:
If I uncomment the code with "mysql_real_escape_string" the update does not work. I thought it's pretty "safe" code. What could be wrong? i just upgraded to PHP5 if that's a factor - not sure...but magic_quotes was turned after the upgrade but i turned it off :^p .... $update_page = "UPDATE howto_temp.page SET page.title = '$temp_title', descrip = '$temp_descrip' WHERE page.page_id = '$posted_pk '";
PHP
11
2287
adding "addslahses" to already live project - best approach?
by: Dave Smithz | last post by:
Having adopted someone else's PHP cope and completing a crash course in the language I came across a (probably common) problem with the current code. On a registration form, whenever users names have an apostrophe in them it causes problems as they do not get added to the DB correctly for reasons that immediately become apparent. Before implementing my own workaround I noticed the functions. addslashes, stripslashes and directive...
PHP
4
4417
escaping, stripslashes and magic quotes!
by: Dave Moore | last post by:
Hi All, Can anybody point me to a FAQ or similar that describes what all this stuff is about please?. I'm interfacing with a MySQL database if that's relavent. I've read a couple of books which refer to stripslahes and 'escaping' but nothing really explains what these terms are and why these are used. Why is 'escaping' (whatever that is) used?. What the hell is a magic quote?. How is it different from a non-magic one?. Regards, Dave
PHP
14
4108
Trouble escaping / Misc nightmare
by: Ian Rastall | last post by:
Sorry for the double question. I'm having a terrible time figuring out how to escape apostrophes in my mySQL database. Perhaps they have to be escaped in the PHP, using mysql_real_escape_string? This is the code: http://www.gongfamily.net/code.txt The page in question is:
PHP
5
6339
Escaping in VBScript
by: bobbyballgame | last post by:
I am having a problem calling Stored Procedures: .... dim MyValue, MyOtherValue MyValue = "Bobby's value" MyOtherValue = Bobby's other value" rs.Open "exec MyStoredProc """ & MyValue & """, """ & MyOtherValue & """", Conn
ASP / Active Server Pages
0
1150
escaping before inserts - get_magic_quotes_gpc
by: Reply Via Newsgroup Thanks | last post by:
Folks, This questions is directed towards PHP/MySQL folk and relates to escaping hooks, apostraphe's and other characters that can create a security hole when writing to databases/files. I've been reading http://ca2.php.net/manual/en/function.get-magic-quotes-gpc.php and just need to confirm a couple of things: If I have magic_quotes_gpc on, and I use addslashes() - Does this in effect cause me to take security one step forward, and...
MySQL Database
3
5377
PHP, mysql, and escaping characters
by: Taras_96 | last post by:
Hi everyone, I'm having a bit of trouble understanding the purpose of escaping nulls, and the use of addcslashes. Firstly, the manual states that: "Strictly speaking, MySQL requires only that backslash and the quote character used to quote the string in the query be escaped. This function quotes the other characters to make them easier to read in
PHP
1
5460
firefox doesn't like 'disable-output-escaping' setting... looking for alternatives
by: David Henderson | last post by:
I know 'disable-output-escaping' has been discussed in the past, but I can't put my finger on any of the threads to see if my current problem is addressed. Sorry for re-asking the question if it has already been answered... I have an XML doc that I am transforming via XSLT and JavaScript in the browser. This allows me to return unsorted data to the browser and allow the user to sort it with a mouseclick and not hit the server just...
.NET Framework
4
3046
php form field inserts return empty string
by: wizardry | last post by:
hello - i've created a form that has multiple inserts. it inserts the data fine if i manually parse the data to it but when i use the form to test the inserts it errors out. it errors out at the title/comments table. the 2 tables before are inserted fine. i've used echo $_post variable and the variable is their. but its not being inserted into the database. ...
PHP
0
8640
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8589
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
8287
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8443
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
6093
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
4136
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2573
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
1
1757
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
1438
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us