addslashes(); and magic_quotes_gpc

guanche

On my server magic_quotes_gpc are on.

Php manuals say that I don't need to use addslashes(); if magic_quotes_gpc are on:

The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping.

However, if I don't use addslashes(); all teksts in my DB looks like this:

"text", 'text'

and not like this:

\"text\", \'text\'

Is this normal?

guanche

Hmm, I just discovered that function addslashes(); for some reason doesn't work.

guanche

Can somebody explain how is it possible that addslashes works, but text is submitted to the database as it is?

$descr = "This is 'my' test";
$descr = addslashes($descr);

echo $descr; // This \'is\' my test

$apd = mysql_query("UPDATE profiles SET ptext='$descr' WHERE id='$id'");

echo $descr; // This \'is\' my test

Everything correct so far. Now I check my database and see that it contains:

This is 'my' test

instead of

This \'is\' my test

Does it mean that MySQL in some way strips slashes itself?

djjjozsi

you should not replace the mysql_real_escape_string with addslashes to avoid SQL injection.
if this server config is ON, you need to see slashes before the qoutes. If not, you can test with a simple form and $_POST. If you use addslashes on an escaped value, you then need to see double escaped characters.

if magic qoutes is on, use

mysql_real_escape_string(stripslashes($input));

on your user inputs.

When you build a query string to the database, \' and \" converted into ' and " when this value inserted into the table, so you will see normal ' and " signs when you query down the data.

guanche

djjjozsi, thank you very much for your reply.

I replaced addslashes with mysql_real_escape_string as you suggested.

I tried mysql_real_escape_string before, but happened the same as with addslashes - when I checked the table using PHPMyAdmin, I saw normal 'and " signe instead of \' and \". I didn't know that it's normal.

djjjozsi

Your welcome 🙂

bradgrafelman

guanche wrote:
when I checked the table using PHPMyAdmin, I saw normal 'and " signe instead of \' and \". I didn't know that it's normal

Why wouldn't that be normal? If I entered my name as Bill O'Reilly in a form, would you rather it greet me as Bill O\'Reilly?

Also, as for magic_quotes_gpc, here's a quick rundown of some things you should know:

Never use it, and never rely on it. It's a setting that can be changed from one server to the next (or even on the same server after an upgrade).
It's not useful. Automatically (or "magically") having all incoming data be escaped is far from useful - it's destructive. You destroy data integrity in that you can't easily access the actual data without using some sort of transforming function (e.g. stripslashes()).
It doesn't do what you think it does. It is NOT to be used for preparing incoming data for use in SQL queries - that's what the SQL-specific escape functions (e.g. [man]mysql_real_escape_string/man) are for. Note that [man]addslashes/man and the aforementioned SQL escape function are not identical - they don't perform the same operations!
It's been deprecated for some time now. In fact, as of PHP5 it was disabled by default (perhaps even before - can't remember), and as of PHP6 it's not even an option at all.

Also, don't forget to mark this thread resolved (if it is) using the link under Thread Tools.