Search

Friends

Atomspheric CO2 (PPM)

Archives

Blather

Uptime verified by Wormly.com

5 August 2008

Magic quotes and addslashes

I think I may have found a slightly nicer (and safer) solution than I've previously found to the problem of the PHP's magic_quotes_gpc. When you're converting old applications you don't want to just replace all the addslashes() with a conditional escaping method. Or just unquote all your form input on the assumption that the programmer was sensible. Your input won't necessarily come from forms or cookies, so that might reduce your security. You still want to escape everything that goes into the function, but maybe you want run stripslashes() on it first if you think it's probably GPC data and magic quoting is turned on.

<?php
function gpc_escape($str) {
    if(1 == get_magic_quotes_gpc()) {
        return mysql_escape_string(stripslashes($str));
    }
    else {
        return mysql_escape_string($str);
    }
}
?>

Then you can do something like:

$ find . -name *.php | xargs perl -pi -e 's/addslashes/gpc_escape/g'
  • 3:27pm
  •  
  • PHP

Comments

No comments yet.

Leave a comment

Markdown

0.112 seconds