FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » magic_quotes_gpc() on or off?
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
magic_quotes_gpc() on or off? [message #173868] Wed, 11 May 2011 07:28 Go to next message
Simon is currently offline  Simon
Messages: 29
Registered: February 2011
Karma: 0
Junior Member
Hi,

On my dev machine(s) I have:
magic_quotes_gpc = Off and magic_quotes_runtime = Off

as far as I understand this is the 'preferred' settings when it comes to
magic quotes.

On the live machine I see that the values are:

magic_quotes_gpc = On and magic_quotes_runtime = Off

I think this is a throw back of upgrading from 4.x to 5.x many moons
ago, (the value should not be set as per
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).

But as a point of interest, this causes a problem when I try to save
data in the database.
According to http://php.net/manual/en/function.mysql-real-escape-string.php

"If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
Using this function on data which has already been escaped will escape
the data twice."

so if I have:

/////////////////////////////////////////////////////////////////////////// /

// get a proper MySQL connection for mysql_real_escape_string() to work.
....
//
//
$data = 'H\hi'; // a random string that I want to save 'as is' in the
db. Note the 'escaped' character.

//
// now try and save it to the db
//
// Stripslashes if need be
if (get_magic_quotes_gpc())
{
$data = stripslashes($data);
}

// escape
$data = mysql_real_escape_string($data);

echo $data;
/////////////////////////////////////////////////////////////////////////// /

You will see that the data has become 'Hhi', the '\' has been stripped,
and the data is no longer saved as expected.

If I turn magic_quotes_gpc=off this is a moot point.
But I was wondering how you could get it to work with magic_quotes_gpc=On

Any suggestions? comments?

Thanks

Simon
Re: magic_quotes_gpc() on or off? [message #173872 is a reply to message #173868] Wed, 11 May 2011 10:38 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 5/11/2011 3:28 AM, Simon wrote:
> Hi,
>
> On my dev machine(s) I have:
> magic_quotes_gpc = Off and magic_quotes_runtime = Off
>
> as far as I understand this is the 'preferred' settings when it comes to
> magic quotes.
>
> On the live machine I see that the values are:
>
> magic_quotes_gpc = On and magic_quotes_runtime = Off
>
> I think this is a throw back of upgrading from 4.x to 5.x many moons
> ago, (the value should not be set as per
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).
>
> But as a point of interest, this causes a problem when I try to save
> data in the database.
> According to http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>
> so if I have:
>
> /////////////////////////////////////////////////////////////////////////// /
>
>
> // get a proper MySQL connection for mysql_real_escape_string() to work.
> ...
> //
> //
> $data = 'H\hi'; // a random string that I want to save 'as is' in the
> db. Note the 'escaped' character.
>

First of all, '\h' is not a valid escape character. If you actually
want a backslash there, you need to use '\\h'. Using invalid character
combinations leads to unpredictable results.

> //
> // now try and save it to the db
> //
> // Stripslashes if need be
> if (get_magic_quotes_gpc())
> {
> $data = stripslashes($data);
> }
>

Why are you stripping slashes BEFORE storing the data?
magic_quotes_gpc() affects data RETRIEVED from the database.

> // escape
> $data = mysql_real_escape_string($data);
>
> echo $data;
> /////////////////////////////////////////////////////////////////////////// /
>
>
> You will see that the data has become 'Hhi', the '\' has been stripped,
> and the data is no longer saved as expected.
>

As I would expect, as indicated above.

> If I turn magic_quotes_gpc=off this is a moot point.
> But I was wondering how you could get it to work with magic_quotes_gpc=On
>
> Any suggestions? comments?
>
> Thanks
>
> Simon
>
>

I never run with magic_quotes_gpc() on, and won't recommend a host who
runs with it on. If they don't know enough to turn off something which
has been deprecated for years, I'm not sure what else they are clueless
about.

And BTW - it is being removed in PHP6 anyway.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: magic_quotes_gpc() on or off? [message #173874 is a reply to message #173868] Wed, 11 May 2011 10:45 Go to previous messageGo to next message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
Senior Member
El 11/05/2011 9:28, Simon escribió/wrote:
> On my dev machine(s) I have:
> magic_quotes_gpc = Off and magic_quotes_runtime = Off
>
> as far as I understand this is the 'preferred' settings when it comes to
> magic quotes.

Certainly. It makes everything easier, as you've already found out.


> On the live machine I see that the values are:
>
> magic_quotes_gpc = On and magic_quotes_runtime = Off
>
> I think this is a throw back of upgrading from 4.x to 5.x many moons
> ago, (the value should not be set as per
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc).
>
> But as a point of interest, this causes a problem when I try to save
> data in the database.
> According to http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>
> so if I have:
>
> /////////////////////////////////////////////////////////////////////////// /
>
>
> // get a proper MySQL connection for mysql_real_escape_string() to work.
> ...
> //
> //
> $data = 'H\hi'; // a random string that I want to save 'as is' in the
> db. Note the 'escaped' character.
>
> //
> // now try and save it to the db
> //
> // Stripslashes if need be
> if (get_magic_quotes_gpc())
> {
> $data = stripslashes($data);
> }
>
> // escape
> $data = mysql_real_escape_string($data);
>
> echo $data;
> /////////////////////////////////////////////////////////////////////////// /
>
>
> You will see that the data has become 'Hhi', the '\' has been stripped,
> and the data is no longer saved as expected.
>
> If I turn magic_quotes_gpc=off this is a moot point.
> But I was wondering how you could get it to work with magic_quotes_gpc=On
>
> Any suggestions? comments?

If $data really comes from GET/POST/COOKIE and the original value is
«H\hi», you should have «H\\hi».

Inspect its value with var_dump() and make sure it's actually coming
from $_GET, $_POST or $_COOKIE.

Also, have a look at the register_globals directive. If you rely on it,
you can never be sure of where your variable comes from.


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
Re: magic_quotes_gpc() on or off? [message #173875 is a reply to message #173872] Wed, 11 May 2011 11:49 Go to previous messageGo to next message
Simon is currently offline  Simon
Messages: 29
Registered: February 2011
Karma: 0
Junior Member
On 5/11/2011 12:38 PM, Jerry Stuckle wrote:

>>
>> // get a proper MySQL connection for mysql_real_escape_string() to work.
>> ...
>> //
>> //
>> $data = 'H\hi'; // a random string that I want to save 'as is' in the
>> db. Note the 'escaped' character.
>>
>
> First of all, '\h' is not a valid escape character. If you actually want
> a backslash there, you need to use '\\h'. Using invalid character
> combinations leads to unpredictable results.

I never said I wanted to save \h as an escape character.
I want to save the string 'H\hi' as is, (as used in the date() function
for example).

>
>> //
>> // now try and save it to the db
>> //
>> // Stripslashes if need be
>> if (get_magic_quotes_gpc())
>> {
>> $data = stripslashes($data);
>> }
>>
>
> Why are you stripping slashes BEFORE storing the data?
> magic_quotes_gpc() affects data RETRIEVED from the database.


As per my original post, this is what the doc suggests.

http://php.net/manual/en/function.mysql-real-escape-string.php

"If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
Using this function on data which has already been escaped will escape
the data twice."

>
>> // escape
>> $data = mysql_real_escape_string($data);
>>
>> echo $data;
>> /////////////////////////////////////////////////////////////////////////// /
>>
>>
>>
>> You will see that the data has become 'Hhi', the '\' has been stripped,
>> and the data is no longer saved as expected.
>>
>
> As I would expect, as indicated above.

As indicated in my previous post this is what the doc says.
Unless I misunderstood the doc.

>>
>
> I never run with magic_quotes_gpc() on, and won't recommend a host who
> runs with it on. If they don't know enough to turn off something which
> has been deprecated for years, I'm not sure what else they are clueless
> about.

That's beside the point, but I agree.

Thanks

Simon
Re: magic_quotes_gpc() on or off? [message #173876 is a reply to message #173874] Wed, 11 May 2011 11:53 Go to previous messageGo to next message
Simon is currently offline  Simon
Messages: 29
Registered: February 2011
Karma: 0
Junior Member
>
> If $data really comes from GET/POST/COOKIE and the original value is
> «H\hi», you should have «H\\hi».

So you saying that stripslashes(...) should be called on GET/POST/COOKIE
rather than on any data?

This certainly makes more sense to me, but the doc is not entirely clear
about that, or I am just not reading it properly.

>
> Inspect its value with var_dump() and make sure it's actually coming
> from $_GET, $_POST or $_COOKIE.
>
> Also, have a look at the register_globals directive. If you rely on it,
> you can never be sure of where your variable comes from.
>
>

Will do, thanks

Simon
Re: magic_quotes_gpc() on or off? [message #173884 is a reply to message #173876] Wed, 11 May 2011 14:13 Go to previous messageGo to next message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
Senior Member
El 11/05/2011 13:53, Simon escribió/wrote:
>> If $data really comes from GET/POST/COOKIE and the original value is
>> «H\hi», you should have «H\\hi».
>
> So you saying that stripslashes(...) should be called on GET/POST/COOKIE
> rather than on any data?
>
> This certainly makes more sense to me, but the doc is not entirely clear
> about that, or I am just not reading it properly.

Well, yes, of course, that's what the "_gpc" suffix stands for:

«Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
magic_quotes are on, all ' (single-quote), " (double quote), \
(backslash) and NUL's are escaped with a backslash automatically.»

http://es.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc

It was already bad enough that way :)

>> Inspect its value with var_dump() and make sure it's actually coming
>> from $_GET, $_POST or $_COOKIE.
>>
>> Also, have a look at the register_globals directive. If you rely on it,
>> you can never be sure of where your variable comes from.
>>
>>
>
> Will do, thanks


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
Re: magic_quotes_gpc() on or off? [message #173885 is a reply to message #173884] Wed, 11 May 2011 14:15 Go to previous messageGo to next message
Simon is currently offline  Simon
Messages: 29
Registered: February 2011
Karma: 0
Junior Member
>
> Well, yes, of course, that's what the "_gpc" suffix stands for:
>
> «Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
> magic_quotes are on, all ' (single-quote), " (double quote), \
> (backslash) and NUL's are escaped with a backslash automatically.»

LOL, I never even thought of that.

It all makes sense now, thanks.

Simon
Re: magic_quotes_gpc() on or off? [message #173888 is a reply to message #173875] Wed, 11 May 2011 15:29 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 5/11/2011 7:49 AM, Simon wrote:
> On 5/11/2011 12:38 PM, Jerry Stuckle wrote:
>
>>>
>>> // get a proper MySQL connection for mysql_real_escape_string() to work.
>>> ...
>>> //
>>> //
>>> $data = 'H\hi'; // a random string that I want to save 'as is' in the
>>> db. Note the 'escaped' character.
>>>
>>
>> First of all, '\h' is not a valid escape character. If you actually want
>> a backslash there, you need to use '\\h'. Using invalid character
>> combinations leads to unpredictable results.
>
> I never said I wanted to save \h as an escape character.
> I want to save the string 'H\hi' as is, (as used in the date() function
> for example).
>

Then you must use 'h\\hi'. Backslash is an escape character.

>>
>>> //
>>> // now try and save it to the db
>>> //
>>> // Stripslashes if need be
>>> if (get_magic_quotes_gpc())
>>> {
>>> $data = stripslashes($data);
>>> }
>>>
>>
>> Why are you stripping slashes BEFORE storing the data?
>> magic_quotes_gpc() affects data RETRIEVED from the database.
>
>
> As per my original post, this is what the doc suggests.
>
> http://php.net/manual/en/function.mysql-real-escape-string.php
>
> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
> Using this function on data which has already been escaped will escape
> the data twice."
>

If the data has previously been escaped, yes. In your case, it has not.

>>
>>> // escape
>>> $data = mysql_real_escape_string($data);
>>>
>>> echo $data;
>>> /////////////////////////////////////////////////////////////////////////// /
>>>
>>>
>>>
>>>
>>> You will see that the data has become 'Hhi', the '\' has been stripped,
>>> and the data is no longer saved as expected.
>>>
>>
>> As I would expect, as indicated above.
>
> As indicated in my previous post this is what the doc says.
> Unless I misunderstood the doc.
>

You are misunderstanding the doc.

>>>
>>
>> I never run with magic_quotes_gpc() on, and won't recommend a host who
>> runs with it on. If they don't know enough to turn off something which
>> has been deprecated for years, I'm not sure what else they are clueless
>> about.
>
> That's beside the point, but I agree.
>
> Thanks
>
> Simon

Actually, it is a major point.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: magic_quotes_gpc() on or off? [message #173939 is a reply to message #173888] Fri, 13 May 2011 19:25 Go to previous messageGo to next message
Michael Fesser is currently offline  Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
Senior Member
.oO(Jerry Stuckle)

> On 5/11/2011 7:49 AM, Simon wrote:
>>>
>>> Why are you stripping slashes BEFORE storing the data?
>>> magic_quotes_gpc() affects data RETRIEVED from the database.
>>
>> As per my original post, this is what the doc suggests.
>>
>> http://php.net/manual/en/function.mysql-real-escape-string.php
>>
>> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
>> Using this function on data which has already been escaped will escape
>> the data twice."
>
> If the data has previously been escaped, yes. In your case, it has not.

If magic quotes are enabled, then PHP will automatically escape his
incoming data. So calling stripslashes() on it before doing anything
else is the correct way to ensure you're working with the raw data.
After that you can apply the proper escaping as necessary.

Micha
Re: magic_quotes_gpc() on or off? [message #173944 is a reply to message #173939] Fri, 13 May 2011 22:44 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 5/13/2011 3:25 PM, Michael Fesser wrote:
> .oO(Jerry Stuckle)
>
>> On 5/11/2011 7:49 AM, Simon wrote:
>>>>
>>>> Why are you stripping slashes BEFORE storing the data?
>>>> magic_quotes_gpc() affects data RETRIEVED from the database.
>>>
>>> As per my original post, this is what the doc suggests.
>>>
>>> http://php.net/manual/en/function.mysql-real-escape-string.php
>>>
>>> "If magic_quotes_gpc is enabled, first apply stripslashes() to the data.
>>> Using this function on data which has already been escaped will escape
>>> the data twice."
>>
>> If the data has previously been escaped, yes. In your case, it has not.
>
> If magic quotes are enabled, then PHP will automatically escape his
> incoming data. So calling stripslashes() on it before doing anything
> else is the correct way to ensure you're working with the raw data.
> After that you can apply the proper escaping as necessary.
>
> Micha

True - IF the data is incoming. But there was no indication it was - in
fact, there was every indication it was not, because a properly escaped
PHP string will never contain something like 'H\hi'. '\h' is an invalid
character sequence.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Re: A question about refresh
Next Topic: Program to Submit to forms
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 02:15:22 GMT 2024

Total time taken to generate the page: 0.02339 seconds