473,232 Members | 1,519 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,232 software developers and data experts.

Ambiguous phrases in PHP Manual

The PHP manual defines
"magic_quotes_runtime

If enabled, most functions that return data from an external
source, including databases and text files, will have quotes
escaped with a backslash "...

This term 'external source' isn't defined anywhere in the
manual! Is the data in our $_GET and $_POST variables
considered an external source? The term 'most functions'
without further explanation is most ambiguous.

If magic_quotes_gpc is set to off in the php.ini file, can
we control whether the $_GET and $_POST data is
automagically slashed using set_magic_quotes_runtime()?
or is magic_quotes_runtime only used for the data coming
out of our database or files and a few special uses?

Thanks for your help in sorting this confusion.

Ken

Jul 17 '05 #1
3 1874
"Ken in Melbourne Australia" <ke*@mira.net> wrote in message
news:42***********************@per-qv1-newsreader-01.iinet.net.au...
The PHP manual defines
"magic_quotes_runtime

If enabled, most functions that return data from an external
source, including databases and text files, will have quotes
escaped with a backslash "...

This term 'external source' isn't defined anywhere in the
manual! Is the data in our $_GET and $_POST variables
considered an external source? The term 'most functions'
without further explanation is most ambiguous.

If magic_quotes_gpc is set to off in the php.ini file, can
we control whether the $_GET and $_POST data is
automagically slashed using set_magic_quotes_runtime()?
or is magic_quotes_runtime only used for the data coming
out of our database or files and a few special uses?

Thanks for your help in sorting this confusion.

Ken


If magic_quotes is turned on (the last time I actually used it) I'm pretty
sure a form that a GET/POST request will be escaped to ease insertion into a
database for example. Coming out of a database such as mySQL, I don't think
I've ever seen them escaped.

IMO, it's bad practice to use/depend on magic_quotes being on.

HTH
-Joe
Jul 17 '05 #2
> "Ken in Melbourne Australia" <ke*@mira.net> wrote:
The PHP manual defines
"magic_quotes_runtime

If enabled, most functions that return data from an external
source, including databases and text files, will have quotes
escaped with a backslash "...

This term 'external source' isn't defined anywhere in the
manual! Is the data in our $_GET and $_POST variables
considered an external source? The term 'most functions'
without further explanation is most ambiguous.
Well, $_GET and $_POST are not functions. They are array variables.
If magic_quotes_gpc is set to off in the php.ini file, can
we control whether the $_GET and $_POST data is
automagically slashed using set_magic_quotes_runtime()?
or is magic_quotes_runtime only used for the data coming
out of our database or files and a few special uses?

You could test this question in much less time than it takes to ask a
question on usenet and wait for a response. :)

Because magic_quotes_runtime corrupts data with slashes coming from
various _unspecified_ functions, you should probably never, ever use
magic_quotes_runtime without doing a lot of careful testing.

For the array values, which are already present at the start of the
script, you must check whether magic_quotes_gpc is on and use
stripslashes() as appropriate to get the uncorrupted values of the
submitted data.

Always perform the appropriate escaping (eg with
mysql_real_escape_string()) before putting data into an SQL statement.

Joe Webster wrote: If magic_quotes is turned on (the last time I actually used it) I'm pretty
sure a form that a GET/POST request will be escaped to ease insertion into a
database for example.
That's magic_quotes_gpc, which is ON by default...
Coming out of a database such as mySQL, I don't think
I've ever seen them escaped.
....that's magic_quotes_runtime, which is OFF by default. These are
separate options.
IMO, it's bad practice to use/depend on magic_quotes being on.


<nod>

-- brion vibber (brion @ pobox.com)
Jul 17 '05 #3
"Brion Vibber" <br***@pobox.com> wrote in message
news:39*************@individual.net...
"Ken in Melbourne Australia" <ke*@mira.net> wrote:
The PHP manual defines
"magic_quotes_runtime

If enabled, most functions that return data from an external
source, including databases and text files, will have quotes
escaped with a backslash "...

This term 'external source' isn't defined anywhere in the
manual! Is the data in our $_GET and $_POST variables
considered an external source? The term 'most functions'
without further explanation is most ambiguous.
Well, $_GET and $_POST are not functions. They are array variables.
If magic_quotes_gpc is set to off in the php.ini file, can
we control whether the $_GET and $_POST data is
automagically slashed using set_magic_quotes_runtime()?
or is magic_quotes_runtime only used for the data coming
out of our database or files and a few special uses?
You could test this question in much less time than it takes to ask a
question on usenet and wait for a response. :)

Because magic_quotes_runtime corrupts data with slashes coming from
various _unspecified_ functions, you should probably never, ever use
magic_quotes_runtime without doing a lot of careful testing.

For the array values, which are already present at the start of the
script, you must check whether magic_quotes_gpc is on and use
stripslashes() as appropriate to get the uncorrupted values of the
submitted data.

Always perform the appropriate escaping (eg with
mysql_real_escape_string()) before putting data into an SQL statement.

Joe Webster wrote:
If magic_quotes is turned on (the last time I actually used it) I'm

pretty sure a form that a GET/POST request will be escaped to ease insertion into a database for example.


That's magic_quotes_gpc, which is ON by default...
Coming out of a database such as mySQL, I don't think
I've ever seen them escaped.


...that's magic_quotes_runtime, which is OFF by default. These are
separate options.
IMO, it's bad practice to use/depend on magic_quotes being on.


<nod>

-- brion vibber (brion @ pobox.com)

You know, it's usually at the end of my day when I'm tired when I start
getting to the news group -- maybe I should keep my fingers shut :) Anyway,
Brion is right... two different options.

http://us4.php.net/magic_quotes

I feel sorry for whoever came up with magic_quotes*, realizing that we all
hate him for the confusion :)

-Joe
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
by: xuatla | last post by:
compile error: test1.cpp:21: error: ISO C++ says that `T mtd::CDiffOperator::getdp(const mtd::mVector&, long int, mtd::mBCTYPE) const' and `void mtd::CDiffOperator::getdp(mtd::mVector&, const...
1
by: Alex Zhitlenok | last post by:
Hi, My question is how to resolve in C# ambiguous overloaded operators? Let say, I have two unrelated classes A and B, each one implements overloaded operator + with the first parameter of type...
9
by: Prasad | last post by:
HI, I am a beginner in VC++.. I am trying to write a Win32 console application in visual studio.. I am using following header files.. #include <STRING> using namespace std; #include...
3
by: Arpan | last post by:
The following code exists in a class file named "Users.vb": Namespace Users Public Class UserDetails Public FirstName As String Public LastName As String Public UserName As String Public...
1
by: rn5a | last post by:
Consider the following code in a VB class file: Namespace LoginUserFetchDB Public Class ZForZebra : Inherits SoapHeader Public UserName As String Public Password As String End Class Public...
3
by: =?Utf-8?B?Q3JhaWc=?= | last post by:
Background: I am building a Windows enterprise application that has separate assemblies for UI, business logic/rules, and data access (i.e. typical N-tier architecture). Many of the assemblies...
2
by: maxinuruguay | last post by:
I am trying to figure out how, given a text file, you can determine if there are repeating phrases of any given length. I can get the word count, line count and other statistical information but no...
12
by: Nathan Sokalski | last post by:
I have several CustomControls that I have written for my project. However, when I try to compile I recieve the following warning & errors: Warning 32 Could not resolve this reference. Could not...
9
by: SuperNova | last post by:
Hello! I need to mark similar phrases in two different texts, for example to use <btag. Example: text 1: Google Chrome is a browser that combines a minimal design with sophisticated...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.