User Submitted Data
most of the user contributed code related to stripping magic quotes posted could open vulnerabilities in your scripts as mentioned with a better sollution at:
http://talks.php.net/show/php-best-practices/26
it supprises me that this link has not been previously referenced.
Chapter 31. Magic Quotes
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic Quotes
When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.
There are three magic quote directives:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP.
See also get_magic_quotes_gpc().
If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP.
See also set_magic_quotes_runtime() and get_magic_quotes_runtime().
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes, backslashes and NULL's will remain untouched and unescaped.
See also ini_get() for retrieving its value.
add a note
User Contributed NotesMagic Quotes
php at danielknell dot co dot uk
29-Oct-2007 09:03
29-Oct-2007 09:03
Shaun
22-Oct-2007 05:49
22-Oct-2007 05:49
In my tests with $_FILE, I found that file uploading didn't work when it was included in the function (Confirmed on Windows, not Apache.)
The problem caused is: It removes the trailing / from what I have the tmp directory defined as.
So: When PHP tries to move a tmp file using move_uploaded_file, it's trying to move tmpxxxx.tmp
Whereas it should be trying to move: tmp/xxxx.tmp
In conclusion:
I found it easiest just to leave the $_FILES array alone.
$_FILES works differently than $_POST anyway. It outputs an error if the file is invalid, so I'm not sure how someone could inject bad code into the field.
If anyone else can check this problem on a Linux/Unix server, that would be great.
judas dot iscariote at gmail dot com
08-Mar-2006 02:33
08-Mar-2006 02:33
Just for the record. this feature has been removed as of PHP6.
now PHP works always like if magic_quotes_gpc Off.
get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.
this is great news, magic_quotes were a big annoyance.
27-Feb-2006 06:11
Using the .htaccess file may not always be possible for instance if you are running php on a windows IIS server.
Also the code by jfrim at idirect dot com doesn't actually fix the problem as it is stripping slashes, what you need to do is addslashes to things coming in.
the code by jfrim at idirect dot com is the right idea though although rather than saying stripslashes, you simply need to say addslashes and it should work.
edward at example dot com
07-Feb-2006 07:55
07-Feb-2006 07:55
All the code listed on this page is not necessary if you use the php_flag directive in a .htaccess file. This allows you to disable magic quotes completely, without the need to adjust your php.ini file or (re)process the user's input.
Just take a look at http://www.php.net/manual/en/security.magicquotes.php#55935
Gist of his note: in the .htaccess file, add a line
php_flag magic_quotes_gpc off
That's it. Thank you very much, richard dot spindler :) !
06-Dec-2005 09:09
You should try to avoid magic_quotes in all its flavors, use add_slashes() and strip_slashes() instead with user input and you will save time and avoid common problems that come along.
You should know also that if your server has php suexec enabled you won't be able use php_flag in .htaccess file to change php values like magic_quotes or register_globals. In this case you might wanna try creating a php.ini file on the same directory as your script and add something like this:
magic_quotes_runtime=off
magic_quotes_gpc=off
magic_quotes_sybase=off
register_globals=on ; only as an example
----
Mel
http://www.webhostingjournal.net/
richard dot spindler at gmail dot com
18-Aug-2005 04:59
18-Aug-2005 04:59
to turn of magic quotes put the following line into the .htaccess file:
php_flag magic_quotes_gpc off
16-Jul-2005 10:44
Bright minds will have noticed, that one uses stripslashes() once on the input and saves that content for further processing. Then use addslashes() once before sending the content to the database or flat file.
Hint: if the application is using a MySql database, don't use addslashes() but mysql_real_escape_string().
nitrous at fuckoff dot com
26-Jan-2005 02:01
26-Jan-2005 02:01
This "feature" is the cause of so many escaping problems. It's very important to understand the implications of what magic quotes really do.
Nearly every call, except those being written directly to the database, using user submitted data will require a call to strip_slashes. It gets very ugly very fast.
What should be done is proper escaping of shell parameters and database parameters. PHP provides several escaping functions intended for this purpose. Slashes alone don't cut it anyway.