Greetings... I've been looking around for information on preventing sql injection attacks, and ran into a question... I am using the mysql_real_escape_string() function on a SQL insertion (for when a user submits a comment). The problem is, when I retrieve the data out of the sql database, all of the special characters are still prepended.

I was looking for the "reverse" of mysql_real_escape_string(), and I read somewhere that I can just use strip slashes or string replace. But, then someone else said you should never need a reverse function as all data the comes out of the database should be fine anyways...

I can see how the data would be fine for a select query, but for an insert, it seems to be a different story. What is the best way of going about this??

Thanks in advance for the advice.

    Can you do us a favor before the discussion starts? Do a phpinfo() and tell us the value of magic_quotes_gpc ?

      Thanks for the speedy reply.

      magic_quotes_gpc is on.

        Yes, you will need to disable it (either in php.ini if you can modify that file, or in a .htaccess file in your website's root folder, assuming that PHP was installed as an Apache ISAPI module and not a CGI binary).

        You can also introduce failsafes in your script to effectively reverse the effects of magic_quotes_gpc if it is enabled, something like:

        if(get_magic_quotes_gpc()) {
    $_GET = array_map('stripslashes', $_GET);
    $_POST = array_map('stripslashes', $_POST);
    // etc.
}

        Note that this won't work if you have arrays being parsed (you'd probably need to use [man]array_walk_recursive/man). This is simply a workaround and/or failsafe - the true solution is to disable the deprecated magic_quotes_gpc directive.

          i went ahead and disabled magic_quotes_gpc in my .htaccess file, but I'm a little confused as to what that does, and why that is the solution to my problems.

          Could someone shed a little light on the situation?

            The manual page for this "feature" is: [man]magic_quotes[/man].

            Basically, the magic_quotes feature would prepend a backslash to incoming data automatically. Thus, when you did [man]mysql_real_escape_string/man on already partially escaped data, the backslashes that magic_quotes had inserted were escaped so that they would be inserted into MySQL (which is what [man]mysql_real_escape_string/man is supposed to do). It's the same as running [man]addslashes/man on all incoming data.

            Looking back, coders realize now that escaping data isn't a runtime task. Data should be kept in its original state and ONLY adapted when the need arises, such as when inserting it into a database or displaying it. Not only was its timing off, but magic_quotes doesn't do the same job as [man]mysql_real_escape_string/man does.

            In other words, magic_quotes is simply a 'feature' that's "in the wrong place at the wrong time."

              Many thanks. Topic resolved.

                Write a Reply...