Magic_quotes frustration

La_Parka

Magic_quotes_gpc is active on my server, and I do not apply any addslashes or stripslashes functions to my gpc data.

When a user submits my login form, the following is run:

$sessionHash = session_id();
$username = $_POST['username'];
$password = $_POST['password'];


$s_credentials = "SELECT userID FROM user WHERE username=' ".$username." ' AND password=' ".$password." ' ";
$q_credentials = @mysql_query($s_credentials);
$r_credentials = @mysql_fetch_array($q_credentials);


if (mysql_num_rows($q_credentials)=="1")
{

// Use the user's ID# to get info for the session
$s_getuserinfo = "SELECT username FROM user WHERE u.userID=' ".$r_credentials['userID']." ' ";
$q_getuserinfo = @mysql_query($s_getuserinfo);
$r_getuserinfo = @mysql_fetch_array($q_getuserinfo);

// Update the current session
$s_updatesession = "UPDATE session SET userID=' ".$r_credentials['userID']." ', username=' ".$r_getuserinfo['username']." ' WHERE sessionHash=' ".$sessionHash." ' ";
$q_updatesession = @mysql_query($s_updatesession);

echo "You are now logged in, $username.";

}
else
{

echo "You have entered an invalid login.";

}

Under normal circumstances, this works fine, and the user's session record is updated appropriately in the DB.

This doesn't work out so well when the user has an apostrophe in their username. When this is the case, the "You are logged in" message will display, and a slash is inserted before each apostrophe of their name.

For example, the username is World's Greatest O'Reilly. Here is the output:

You are now logged in, World\\'s Greatest O\\'Reilly.

Along with this oddity, the user's session table in the DB goes untouched. Does this sound like an issue with magic_quotes being turned on, or could something else be the problem?

Weedpacket

Originally posted by La Parka
I do not apply stripslashes functions to my gpc data.

Maybe you should, then.

La_Parka

Originally posted by Weedpacket
Maybe you should, then.

Doing so causes mysql_num_rows to fail (Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource.)

I've tried revising the code in several ways to fix this, but whenever stripslashes is applied to the POST variables, this error occurs.

planetsim

Perhaps this function maybe of some use

/* Check if the get_magic_quotes_gpc() is on we need to remove slashes */
if (get_magic_quotes_gpc())
{
	function remove_slashes($arr)
	{
		if (is_array($arr))
		{
			foreach($arr AS $_arrykey => $_arryval)
			{
				if (is_string($_arryval))
					$arr["$_arrykey"] = stripslashes($_arryval);
				else if (is_array($_arryval))
					$arr["$_arrykey"] = remove_slashes($_arryval);
			}
		}
		return $arr;
	}

$_GET = remove_slashes($_GET);
$_POST = remove_slashes($_POST);
$_COOKIE = remove_slashes($_COOKIE);
$_FILES = remove_slashes($_FILES);
$_REQUEST = array_merge($_GET, $_POST, $_COOKIE);
}

Then from there you really need to use addslashes() as well as other checks.

La_Parka

I think I've found the problem, but I'm still looking for the solution.

Let's say that the user submits the username of "Use'r." Once the form is submitted, it becomes "Use\'r." After stripslashes(), it is then "Use'r," but this causes the first query to fail at WHERE username=' ".$username." ' because of the presence of 3 single quotes.

Should I be executing stripslashes at the very beginning of the code in the first post, or at a later point?

ETA: Is the right-hand portion of the above WHERE statement truncated properly?

Drakla

IF a string already has slashes added, which your POST/GET/SERVER values might have already (you can check with get_magic_quotes_gpc()) Then they're ready to go straight into database queries. Inserts, selects, updates... anything. BUT if you then want to use that data other ways then you should stripslash it first.

If the data coming in from forms ISN'T slashed then use addslashes or mysql_escape_string BEFORE using them in queries.

NO you don't use stripslashes then when bringing data back from the database, it's already gone.

planetsim

Originally posted by La Parka
I think I've found the problem, but I'm still looking for the solution.

Let's say that the user submits the username of "Use'r." Once the form is submitted, it becomes "Use\'r." After stripslashes(), it is then "Use'r," but this causes the first query to fail at WHERE username=' ".$username." ' because of the presence of 3 single quotes.

Should I be executing stripslashes at the very beginning of the code in the first post, or at a later point?

ETA: Is the right-hand portion of the above WHERE statement truncated properly?

Well if thats the example firstly the code I supplied should be used in a common/global file that will be available to all php files. The function will basically get you to a level playing surface, instead of say the string looking like this

user\'s

its back to

user's

, so you can see the function allows for portability.

Now that its back to normal (as if magic_quotes_gpc was Off) we only need to use addslashes or the mysql_escape_string function which ever you pick. Now this will only stop SQL Injections with using the quotations which is Ok, however there is still more to check.