|
| Home | Accessibility | Courses | Diary | The Mouth | Forum | Resources | Site Map | About Us | Contact |
PHP Magic Quotes
Do you want to read a string from a form and save it into a database? "Easy" you might say ... and indeed it is ... but if you just take the exact characters that were entered into the form and embed them in your SQL, you're laying yourself open to an injection attack. That's where a user enters a string that includes quotes, which are used as delimiters by SQL commands.
Early / more advanced / sophisticated users of PHP know of this risk and use the addslashes function before they place user inputs into SQL strings. But with huge growing popularity and use by beginners and more casual programmers, there was too much risk of PHP getting itself a bad name for insecure systems. So "Magic Quotes" were introduced. With Magic Quotes, the input arrays $_GET, $_POST, $_COOKIE and $_REQUEST are all encoded with extra \ characters in front of any user entered quote character ...thus making the input directly and safely transferreable into an SQL table - but at the expense of it appearing on the screen if the programmer prints it back out. See the example picture provided ....
For the sake of compatability with existing code (and to appease the people who were quite happy to carefully add slashes all around), Magic Quotes were added to the list of configurable options in PHP and to this day it's probably one of the first things that I look at when I'm using a new host. Personally, I don't care which way it is set but I regret the incompatability it can cause as an application is moved between servers.
Want to make your application portable? You can - since you can check the setting of the magic_quotes_gpc variable from your script, and if it is set, use stripslashes to regularise your input. We've a demo showing how you can do this on a single input field ** Link ** and there's a further discussion and more examples at the PHP manual site ** Link **
(written 2005-08-22 19:57:29)
Caching an XML feed
How not to run a forum
A Victorian Lady
PHP Magic Quotes
Don't repeat code - use loops or functions
Towards Tebay
Most popular courses
Difference between import and from in Python
Telephone Preference Service - we're registered
This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.
Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).
Early / more advanced / sophisticated users of PHP know of this risk and use the addslashes function before they place user inputs into SQL strings. But with huge growing popularity and use by beginners and more casual programmers, there was too much risk of PHP getting itself a bad name for insecure systems. So "Magic Quotes" were introduced. With Magic Quotes, the input arrays $_GET, $_POST, $_COOKIE and $_REQUEST are all encoded with extra \ characters in front of any user entered quote character ...thus making the input directly and safely transferreable into an SQL table - but at the expense of it appearing on the screen if the programmer prints it back out. See the example picture provided ....For the sake of compatability with existing code (and to appease the people who were quite happy to carefully add slashes all around), Magic Quotes were added to the list of configurable options in PHP and to this day it's probably one of the first things that I look at when I'm using a new host. Personally, I don't care which way it is set but I regret the incompatability it can cause as an application is moved between servers.
Want to make your application portable? You can - since you can check the setting of the magic_quotes_gpc variable from your script, and if it is set, use stripslashes to regularise your input. We've a demo showing how you can do this on a single input field ** Link ** and there's a further discussion and more examples at the PHP manual site ** Link **
(written 2005-08-22 19:57:29)
Associated topics are indexed under
H107 - String Handling in PHP| Back to Don't repeat code - use loops or functions |
Previous and next or Horse's mouth home |
Forward to A Victorian Lady |
Some other Articles
Robust checking of data entered by usersCaching an XML feed
How not to run a forum
A Victorian Lady
PHP Magic Quotes
Don't repeat code - use loops or functions
Towards Tebay
Most popular courses
Difference between import and from in Python
Telephone Preference Service - we're registered
1636 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33 at 50 posts per pageThis is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.
Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).
PH: 01144 1225 708225 • FAX: 01144 1225 707126 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho