mysqli_real_escape_string and get_magic_quotes_gpc()

whisher06

Hi.
I'm wondering whether with mysqli_real_escape_string I've to
check the get_magic_quotes_gpc() value .
I mean a think like this:

function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

Bye.

MarkR

Magic quotes are a bug, therefore I recommend

if (ini_get('magic_quotes_gpc')) {
 throw new Exception("Magic quotes are a bug and should never be enabled");
}

At the top of every page (or rather, in a common include file, say where you connect to the db)

Mark

markg85

could you explain why you think it`s a bug? i would like to know.

ahundiak

markg85 wrote:
could you explain why you think it`s a bug? i would like to know.

This explains the pitfalls of majic-quotes
http://www.webmasterstop.com/63.html

However, contrary to what the site suggests, one should use mysqli_real_escape_string instead of addslashes. Better yet, use prepared statements and the problem goes away completely.

MarkR

The page ahundiak refers to explains it quite nicely.

Quite simply:
- magic_quotes escapes data incorrectly in most cases (It ONLY handles a poor subset of cases where you need escape it in a database, not ANY other escaping scenario)
- magic_quotes escapes data even if they didn't need escaping
- magic_quotes escapes data at the wrong time

Mark

Weedpacket

It's going away in PHP 6 as well, so if you put it in you'll have to take it out again fairly soon, anyway.

whisher06

Thanks so much buddies.
To sum it up:
I've to use a .htaccess file
in my web root.

<IfModule mod_php4.c>
php_flag magic_quotes_gpc off
</IfModule>

php_flag magic_quotes_gpc off

By the way is the syntax right ?
and for PHP5 ?

In my script I can simple use
$mysqli->real_escape_string.

Have I got it right ?

Bye.

ahundiak

You don't really need the IfModule as long as you know php is loaded.
And turn register_globals off as well while you are at it.

whisher06

Better yet, use prepared statements and the problem goes away completely.

Could you give me an example ?
Thanks in advance 😉
Bye.

ahundiak

http://www.php.net/manual/en/ref.pdo.php

Scroll down and look at the section on Prepared Statements

whisher06

😃
Thanks.
Take care.