Posted by Erwin Moller on 11/03/05 15:39

Marcus wrote:

Hi Marcus,

> Hello,
>
> My php.ini file currently has magic quotes set to On, but I have read
> that it is better to code with it off.

Why is that?
I think you should decide for yourself what you like the best.
You can always just overrule the ini-settings by:
ini_set("magic_quotes_gpc" , "1");

Are you maybe confusing magic_quotes_gpc with magic_quotes_runtime?

>
> Currently with magic quotes on, I only use stripslashes() to properly
> format strings that are displayed on the screen. I know that now with
> magic quotes off, I will have to manually handle escaping special
> characters with mysql_real_escape_string() or addslashes().

yes.

>
> My question is this... from what I can gather on php.net and some other
> sources, mysql_real_escape_string() is better than addslashes(), so am I
> correct in saying that I don't ever need to use addslashes()?

I am unsure why the former is better, but if you only use the POST/GET data
on mySQL, yes: you do not need to add or strip slashes, you could just use
mysql_real_escape_string() .


>
> I know I need to use one of these functions when formatting queries to
> MySQL to prevent SQL injection attacks, but how about when I am just
> dealing with variables in $_POST, $_GET, and $_SESSION?

If you are getting data from POST/GET/COOKIE, you need to look at
magic_quotes_gpc.

If you want data coming from queries to be escaped, use
magic_quotes_runtime.

I don't think the last one is very handy in most situations..
I always turn it off.

With magic
> quotes on, when I perform a SELECT and a row has a single quote in the
> result, for example, magic quotes will automatically add a \ to the
> value. Is there any security risk or other drawback in not escaping out
> special characters that I am just working with in the code, and then
> formatting everything right before sending to the database?
>
> Thanks a lot in advance.

Well, have a look at BOTH magic_quotes functions, and your confusion will
disappear. :-)

Regards and good luck!

Erwin Moller

• Next in forum: PHP Security
• Prev in forum: Re: Newsletter Secure Subscribe/Unsubscribe
• Thread view: Re: mysql_real_escape_string() vs addslashes()

[Reply to this message]