I have a form with a submit button like this:
<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>
In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
....
}
or I need first to say: $doLogin=addslashed($_POST['doLogin']);
thanks a lot. 7 1224
On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:
I have a form with a submit button like this:
<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>
In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...
}
or I need first to say: $doLogin=addslashed($_POST['doLogin']);
thanks a lot.
No.
Firstly, magic_quotes are depercated. If you're code is going tobe
runing anywhere that might have them set, then you should test if they
are set, and if so **stripslashes**.
Instead of addslashes you should use the appropriate encoding function
for the use to which you are applying the data **at the point where
you are applying the data** e.g. mysql_real_escape_string(),
htmlentites(), urlencode etc.
C.
On 10 Jun, 13:00, "C. (http://symcbean.blogspot.com/)"
<colin.mckin...@gmail.comwrote:
On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:
I have a form with a submit button like this:
<p class="loginsubmit"><input class="submit" *type="submit"
value="Login" name="doLogin"></p>
In phpinfo() I see:
magic_quotes_gpc * * * *On * * *On
magic_quotes_runtime * *Off * * Off
magic_quotes_sybase * * Off * * Off
I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...
}
or I need first to say: $doLogin=addslashed($_POST['doLogin']);
thanks a lot.
No.
Firstly, magic_quotes are depercated. If you're
I think you meant "your code". "you're code" is an abbreviation for
"you are code", whichis nonsense in this context.
C. ( http://symcbean.blogspot.com/) wrote:
On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:
>I have a form with a submit button like this:
<p class="loginsubmit"><input class="submit" type="submit" value="Login" name="doLogin"></p>
In phpinfo() I see: magic_quotes_gpc On On magic_quotes_runtime Off Off magic_quotes_sybase Off Off
I have apache2, and php5. When the form is posted is it safe to use if(isset($doLogin) && $doLogin="Login") { ...
}
or I need first to say: $doLogin=addslashed($_POST['doLogin']);
thanks a lot.
No.
Firstly, magic_quotes are depercated. If you're code is going tobe
runing anywhere that might have them set, then you should test if they
are set, and if so **stripslashes**.
Instead of addslashes you should use the appropriate encoding function
for the use to which you are applying the data **at the point where
you are applying the data** e.g. mysql_real_escape_string(),
htmlentites(), urlencode etc.
C.
No I 'm just writting the code and it's supposed to run in the above
configuration.
Why not use always addslashes?
I 'm thinking of having a function which parses all GET, POST values and
addslashes so as for them to be ready for use. In the last 2 web pages I
developed I used PDO, so I don't want to use mysql_real_escape_string
since the database isn't the same every time (ok mostly mysql, but
recently I used sqlite).
and I find it painless to prepare stmts every time I want to access the
DB. Well, ok. If there's no other way I'll do it...:)
Thanks
..oO(Harris Kosmidhs)
>No I 'm just writting the code and it's supposed to run in the above configuration.
Doesn't matter. Magic quotes are a completely broken feature and will be
removed from PHP 6. You shouldn't use them anymore, unless you want to
rewrite all your code again in a few years.
>Why not use always addslashes?
Almost as useless as magic quotes. You won't need it. It won't prevent
SQL injection for example.
>I 'm thinking of having a function which parses all GET, POST values and addslashes so as for them to be ready for use.
That's not going to work.
>In the last 2 web pages I developed I used PDO, so I don't want to use mysql_real_escape_string since the database isn't the same every time (ok mostly mysql, but recently I used sqlite).
PDO is perfectly OK and injection-safe if used properly with prepared
statements, but if you also use addslashes(), you'll corrupt your data.
>and I find it painless to prepare stmts every time I want to access the DB. Well, ok. If there's no other way I'll do it...:)
The correct way is to either completely disable magic qotes and never
touch them again, or, if you can't disable them, check at runtime and
call stripslashes() if necessary to get the raw data. Then use the
appropriate encoding functions when you actually work with the data.
Micha
On Jun 10, 1:18 pm, Captain Paralytic <paul_laut...@yahoo.comwrote:
On 10 Jun, 13:00, "C. (http://symcbean.blogspot.com/)"
<colin.mckin...@gmail.comwrote:
On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:
I have a form with a submit button like this:
<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>
In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...
}
or I need first to say: $doLogin=addslashed($_POST['doLogin']);
thanks a lot.
No.
Firstly, magic_quotes are depercated. If you're
I think you meant "your code". "you're code" is an abbreviation for
"you are code", whichis nonsense in this context.
Unless you live in the matrix.
On Jun 10, 1:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:
I have a form with a submit button like this:
<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>
In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...
}
or I need first to say: $doLogin=addslashed($_POST['doLogin']);
thanks a lot.
No.
Firstly, magic_quotes are depercated. If you're code is going tobe
runing anywhere that might have them set, then you should test if they
are set, and if so **stripslashes**.
Instead of addslashes you should use the appropriate encoding function
for the use to which you are applying the data **at the point where
you are applying the data** e.g. mysql_real_escape_string(),
htmlentites(), urlencode etc.
C.
No I 'm just writting the code and it's supposed to run in the above
configuration.
Why not use always addslashes?
Because addslashes and magic quotes are no guarantee that the data you
are handling is safe to be inserted into a database, and all databases
use different methods of escaping characters. Use the escaping
function for the database you're using instead,
mysql_real_escape_string for MySQL, pg_escape_string for Postgres,
etc.
I 'm thinking of having a function which parses all GET, POST values and
addslashes so as for them to be ready for use. In the last 2 web pages I
developed I used PDO, so I don't want to use mysql_real_escape_string
since the database isn't the same every time (ok mostly mysql, but
recently I used sqlite).
Turn magic_quotes_gpc off if at all possible, if not then run
stripslashes on all members of your $_GET, $_POST and $_COOKIE arrays
instead.
If you are using PDO then there is a generic 'quote' method that will
use the correct escaping convention for the database you are connected
to. See http://uk.php.net/manual/en/pdo.quote.php
As you are using PDO, an even better approach is to use prepared
statements. See http://uk.php.net/manual/en/pdo.prepared-statements.php
Greetings, Harris Kosmidhs.
In reply to Your message dated Tuesday, June 10, 2008, 16:54:30,
No I 'm just writting the code and it's supposed to run in the above
configuration.
Why not use always addslashes?
How can you detect real string length if you have some crap slashes in it?
How can you prevent abusing/misusing of this function? (By using it more often
than required)
I 'm thinking of having a function which parses all GET, POST values and
addslashes so as for them to be ready for use.
Such function are good idea, but if used in the right way (your way certainly
not right).
In such function, you must do 2 things:
1. Convert all known data to proper format.
I.e.:
convert all numeric (known to be numeric) values to appropriate (int/float)
representation.
convert all strings to strings, strip any possible crap which may be magically
added and do some other things you need (i'm stripping any HTML tags, for
example)
2. check all unknown data for possible malicious intention.
In the last 2 web pages I developed I used PDO, so I don't want to use
mysql_real_escape_string since the database isn't the same every time (ok
mostly mysql, but recently I used sqlite).
For PDO, you have perfect tool in prepared statements.
It will take care about any characters that require escaping.
and I find it painless to prepare stmts every time I want to access the
DB. Well, ok. If there's no other way I'll do it...:)
It is much less pain, than keeping in mind, where you want stripslashes, and
where you don't.
Working with raw data always easier than with in some way... prepared.
So, you must prepare data only when you are giving them away... to database or
to client.
P.S.
Check contents of your database with 3rd-party tool, like phpMyAdmin.
I woldn't be surprised, if there are more slashes than you want.
--
Sincerely Yours, AnrDaemon <an*******@freemail.ru> This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Graham Thomson |
last post by:
Hi,
I've recently started looking at PHP and MY SQL within Dreamweaver MX.
I'm usin PHPMyAdmin and put some example code from my tutorial book into it
and pressed "Go".
However, the code...
|
by: Andrew DeFaria |
last post by:
I'm attempting to put my music collection on the web using PHP and I hit
a problem. When I attempt an opendir of a directory that contains a "'"
character the opendir fails. Here's the code...
|
by: Marcus |
last post by:
Hi all,
I've been reading up on magic quotes but I'm still confused, seems like
all the info I can find is just regurgitating the little blurb in the
php manual. My question is this: if I turn...
|
by: Ken in Melbourne Australia |
last post by:
The PHP manual defines
"magic_quotes_runtime
If enabled, most functions that return data from an external
source, including databases and text files, will have quotes
escaped with a backslash...
|
by: Lad |
last post by:
Is anyone capable of providing Python advantages over PHP if there are
any?
Cheers,
L.
|
by: _mario.lat |
last post by:
what is userful for: set_magic_quotes_runtime ?
than you in advance,
Mario.
|
by: Jon |
last post by:
All,
Yes, it's more of the famous 'what do I do about magic_quotes' questions.
Anyways, here we go:
I've been a PHP developer for about a year now, and have grown to detest
magic_quotes for...
|
by: gzerphey |
last post by:
Thank you in advance for helping.
I have a bit of a problem with MySQL and PHP working together. More
specifically when i use htmlspecialchars() to encode my text then load
it into the...
|
by: fjm |
last post by:
I would like to make sure I understand this correctly. I just came from php's site and read that multiple queries are not supported. Does this mean that I would not be able to do the following?
...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |