[RESOLVED] magic_quotes_gpc quick question

everythingis

I just checked my php.ini file and ot shows that: magic_quotes_gpc = ON.

When I turn it off, should I add any additional script beyond using mysql_real_escape_string() when I enter information into my database?

Also, will there be anything additionally needed when retrieving the information from the database? Should I reuse mysql_real_escape_string(), or is it not needed?

halojoy

when magic_quotes_gpc is OFF
it should be enough .....
doing mysql_real_escape_string() before put data into MySQL
and
you need not do anything with data when take it out from MySQL
-- this is how I know it

bradgrafelman

everythingis wrote:
When I turn it off, should I add any additional script beyond using mysql_real_escape_string() when I enter information into my database?

As far as SQL injection attacks are concerned? No, I shouldn't think so. Note, however, that [man]mysql_real_escape_string/man should only be used to sanitize string data (hence the "_string" suffix on the function name itself) - not numeric (et al.) data.

everythingis wrote:
Also, will there be anything additionally needed when retrieving the information from the database? Should I reuse mysql_real_escape_string(), or is it not needed?

You should try to understand the purpose of that function; if you do, then you'll be able to answer your own question.

[man]mysql_real_escape_string/man prepends a handful of characters (listed in the manual) with a backslash so that they don't take on any special meaning in a SQL query (e.g. a single quote, which is used to delimit strings in SQL queries). It's just like PHP syntax; if you have a double quote delimited string, and you want a literal double quote to appear in it, what do you do? -- Prepend it with a backslash so that the double quote doesn't take on any special meaning (e.g. end the string and cause parse errors).

Now, note that I'm only speaking about sanitizing data for SQL queries. Others might suggest that you use [man]strip_tags/man or [man]htmlentities/man depending upon where the data is going and what you do or don't want to allow. This is where finding an article about XSS (Cross-Site Scripting) attacks and HTML/Javascript/etc. injection comes into play.

For example, if you were displaying messages in a guestbook, would you want to simply spit out data as it was entered by users? What if I entered something like "Hi there! <script type="text/javascript">document.write('H4ck3d by bradgrafelman! PWNT!');</script>" ?

everythingis

I've been reading up on the mysql_real_escape_string on php.net and some other places & someone had recommended to me that I also use it when displaying the database info, so I got a little confused & I'll take that out of my scripts.

I was also using strip_tags() before, and I was told to take them out of my script, so now I'm really getting confused. Looks like I'll need to add that back in.

And...I was completely unaware of htmlentities() & it seems like something I'm going to need to add also.

So, just to be absolutely clear, for example, when a user enters data on any form, I should scrub all my variables as such before entering into my database:

if (issett($_POST['formname'] {

$value1 = $_POST['value1'];
$value2 = $_POST['value2'];
$value3 = $_POST['value3'];


$value1 = strip_tags($value1);
$value1 = htmlentities ($value1);
$value1 = mysql_real_escape_string($value1);

$value2 = strip_tags($value2);
$value2= htmlentities ($value2);
$value2= mysql_real_escape_string($value2);

$value3 = strip_tags($value3 );
$value3 = htmlentities ($value3 );
$value3 = mysql_real_escape_string($value3 );
}

If I'm wrong, don't beat me up too bad. Just trying to make sure that my site is at least minimally protected & that everything formats correctly once I display it on the website.

I don't want members to be able to use HTML in the forums/guestbook/forms, etc., but I do want to be able to display the return carriages if they enter information as paragraphs.

bradgrafelman

everythingis wrote:
I've been reading up on the mysql_real_escape_string on php.net and some other places & someone had recommended to me that I also use it when displaying the database info

Sounds like this "someone" doesn't really understand data sanitization either.

everythingis wrote:
I was also using strip_tags() before, and I was told to take them out of my script, so now I'm really getting confused.

everythingis wrote:
And...I was completely unaware of htmlentities() & it seems like something I'm going to need to add also.

Again, the use of either (or both, I suppose?) depends on the nature of the data and where/how you're using it. There's no single sentence (that I can think of, anyway) that sums up all of the cases where you'd want to use one or the other (or neither, or both...).

everythingis wrote:
So, just to be absolutely clear, for example, when a user enters data on any form, I should scrub all my variables as such before entering into my database

In my opinion, no, because you destroy data integrity. I prefer to insert user-supplied data as-is so that I always have the original data. If I'm displaying it on an HTML page, however, and I don't want them to be able to inject any HTML code, I'll use something like [man]htmlentities/man after retrieving the data from the database.

everythingis wrote:
I don't want members to be able to use HTML in the forums/guestbook/forms, etc.

In that case, I'd recommend either of the two functions discussed above. I personally use htmlentites() instead because I don't mind if they try to use HTML (or other sequences of characters that might look like HTML, e.g. "<g>" for expressing a grin). Others feel differently. Again, it's at the discretion of the developer to decide which route they want to go.

everythingis wrote:
I do want to be able to display the return carriages if they enter information as paragraphs.

Assuming you're not talking about inserting the data into a textarea element or something of that nature, then you'd simply need to use something like [man]nl2br/man when retrieving data from the database so that line breaks are replaced with <br> HTML entities.

everythingis

Thanks for the help.

From what you're saying it makes more sense in my application to just use the htmlentities (), and then use nl2br() for formatting breaks & paragraphs after I've retrieved the content from the database.

I've been trying to learn from the php.net manual, but unfortunately, (either because I'm not a programmer or I don't have the best vocabulary for this), the terms in which they define everything seems foreign to me & not very clear.

laserlight

everythingis wrote:
From what you're saying it makes more sense in my application to just use the htmlentities (), and then use nl2br() for formatting breaks & paragraphs after I've retrieved the content from the database.

It depends on what exactly you want to do, but yes, that is reasonable. You also might want to read the PHP manual on PHP and HTML.