magic_quotes

On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:

I have a form with a submit button like this:

<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>

In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...

}

or I need first to say: $doLogin=addslashed($_POST['doLogin']);

thanks a lot.

No.

Firstly, magic_quotes are depercated. If you're code is going tobe
runing anywhere that might have them set, then you should test if they
are set, and if so **stripslashes**.

Instead of addslashes you should use the appropriate encoding function
for the use to which you are applying the data **at the point where
you are applying the data** e.g. mysql_real_escape_string(),
htmlentites(), urlencode etc.

C.

On 10 Jun, 13:00, "C. (http://symcbean.blogspot.com/)"
<colin.mckin...@gmail.comwrote:

On Jun 10, 12:54 pm, Harris Kosmidhs

<hkosm...@remove.me.softnet.tuc.grwrote:

I have a form with a submit button like this:

<p class="loginsubmit"><input class="submit" *type="submit"
value="Login" name="doLogin"></p>

In phpinfo() I see:
magic_quotes_gpc * * * *On * * *On
magic_quotes_runtime * *Off * * Off
magic_quotes_sybase * * Off * * Off

I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...

}

or I need first to say: $doLogin=addslashed($_POST['doLogin']);

thanks a lot.

No.

Firstly, magic_quotes are depercated. If you're

I think you meant "your code". "you're code" is an abbreviation for
"you are code", whichis nonsense in this context.

C. (http://symcbean.blogspot.com/) wrote:

On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:

>I have a form with a submit button like this:

<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>

In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...

}

or I need first to say: $doLogin=addslashed($_POST['doLogin']);

thanks a lot.

No.

Firstly, magic_quotes are depercated. If you're code is going tobe
runing anywhere that might have them set, then you should test if they
are set, and if so **stripslashes**.

Instead of addslashes you should use the appropriate encoding function
for the use to which you are applying the data **at the point where
you are applying the data** e.g. mysql_real_escape_string(),
htmlentites(), urlencode etc.

C.

No I 'm just writting the code and it's supposed to run in the above
configuration.

Why not use always addslashes?

I 'm thinking of having a function which parses all GET, POST values and
addslashes so as for them to be ready for use. In the last 2 web pages I
developed I used PDO, so I don't want to use mysql_real_escape_string
since the database isn't the same every time (ok mostly mysql, but
recently I used sqlite).

and I find it painless to prepare stmts every time I want to access the
DB. Well, ok. If there's no other way I'll do it...:)

Thanks

..oO(Harris Kosmidhs)

>No I 'm just writting the code and it's supposed to run in the above
configuration.

Doesn't matter. Magic quotes are a completely broken feature and will be
removed from PHP 6. You shouldn't use them anymore, unless you want to
rewrite all your code again in a few years.

>Why not use always addslashes?

Almost as useless as magic quotes. You won't need it. It won't prevent
SQL injection for example.

>I 'm thinking of having a function which parses all GET, POST values and
addslashes so as for them to be ready for use.

That's not going to work.

>In the last 2 web pages I
developed I used PDO, so I don't want to use mysql_real_escape_string
since the database isn't the same every time (ok mostly mysql, but
recently I used sqlite).

PDO is perfectly OK and injection-safe if used properly with prepared
statements, but if you also use addslashes(), you'll corrupt your data.

>and I find it painless to prepare stmts every time I want to access the
DB. Well, ok. If there's no other way I'll do it...:)

The correct way is to either completely disable magic qotes and never
touch them again, or, if you can't disable them, check at runtime and
call stripslashes() if necessary to get the raw data. Then use the
appropriate encoding functions when you actually work with the data.

Micha

On Jun 10, 1:18 pm, Captain Paralytic <paul_laut...@yahoo.comwrote:

On 10 Jun, 13:00, "C. (http://symcbean.blogspot.com/)"

<colin.mckin...@gmail.comwrote:

On Jun 10, 12:54 pm, Harris Kosmidhs

<hkosm...@remove.me.softnet.tuc.grwrote:

I have a form with a submit button like this:

<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>

In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...

}

or I need first to say: $doLogin=addslashed($_POST['doLogin']);

thanks a lot.

No.

Firstly, magic_quotes are depercated. If you're

I think you meant "your code". "you're code" is an abbreviation for
"you are code", whichis nonsense in this context.

Unless you live in the matrix.

On Jun 10, 1:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:

C. (http://symcbean.blogspot.com/) wrote:

On Jun 10, 12:54 pm, Harris Kosmidhs
<hkosm...@remove.me.softnet.tuc.grwrote:

I have a form with a submit button like this:

<p class="loginsubmit"><input class="submit" type="submit"
value="Login" name="doLogin"></p>

In phpinfo() I see:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {
...

}

or I need first to say: $doLogin=addslashed($_POST['doLogin']);

thanks a lot.

No.

Firstly, magic_quotes are depercated. If you're code is going tobe
runing anywhere that might have them set, then you should test if they
are set, and if so **stripslashes**.

Instead of addslashes you should use the appropriate encoding function
for the use to which you are applying the data **at the point where
you are applying the data** e.g. mysql_real_escape_string(),
htmlentites(), urlencode etc.

C.

No I 'm just writting the code and it's supposed to run in the above
configuration.

Why not use always addslashes?

Because addslashes and magic quotes are no guarantee that the data you
are handling is safe to be inserted into a database, and all databases
use different methods of escaping characters. Use the escaping
function for the database you're using instead,
mysql_real_escape_string for MySQL, pg_escape_string for Postgres,
etc.

I 'm thinking of having a function which parses all GET, POST values and
addslashes so as for them to be ready for use. In the last 2 web pages I
developed I used PDO, so I don't want to use mysql_real_escape_string
since the database isn't the same every time (ok mostly mysql, but
recently I used sqlite).

Turn magic_quotes_gpc off if at all possible, if not then run
stripslashes on all members of your $_GET, $_POST and $_COOKIE arrays
instead.

If you are using PDO then there is a generic 'quote' method that will
use the correct escaping convention for the database you are connected
to. See http://uk.php.net/manual/en/pdo.quote.php

As you are using PDO, an even better approach is to use prepared
statements. See http://uk.php.net/manual/en/pdo.prepared-statements.php

Greetings, Harris Kosmidhs.
In reply to Your message dated Tuesday, June 10, 2008, 16:54:30,

No I 'm just writting the code and it's supposed to run in the above
configuration.

Why not use always addslashes?

How can you detect real string length if you have some crap slashes in it?
How can you prevent abusing/misusing of this function? (By using it more often
than required)

I 'm thinking of having a function which parses all GET, POST values and
addslashes so as for them to be ready for use.

Such function are good idea, but if used in the right way (your way certainly
not right).
In such function, you must do 2 things:
1. Convert all known data to proper format.
I.e.:
convert all numeric (known to be numeric) values to appropriate (int/float)
representation.
convert all strings to strings, strip any possible crap which may be magically
added and do some other things you need (i'm stripping any HTML tags, for
example)
2. check all unknown data for possible malicious intention.

In the last 2 web pages I developed I used PDO, so I don't want to use
mysql_real_escape_string since the database isn't the same every time (ok
mostly mysql, but recently I used sqlite).

For PDO, you have perfect tool in prepared statements.
It will take care about any characters that require escaping.

and I find it painless to prepare stmts every time I want to access the
DB. Well, ok. If there's no other way I'll do it...:)

It is much less pain, than keeping in mind, where you want stripslashes, and
where you don't.

Working with raw data always easier than with in some way... prepared.
So, you must prepare data only when you are giving them away... to database or
to client.

P.S.
Check contents of your database with 3rd-party tool, like phpMyAdmin.
I woldn't be surprised, if there are more slashes than you want.
--
Sincerely Yours, AnrDaemon <an*******@freemail.ru>