My server admin recently upgraded to PHP 5.3 and I’m getting a weird “bug” (or feature, as the PHP folks have it). I had
mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.
<?php echo $_GET["escaped"]; ?> <form method="get"> <input type="text" name="escaped" /> </form>
This outputs, if I enter for instance
escape 'this test',
escape \'this test\'. Same goes if I use
POST instead of
Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?
Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that’s even possible!) and go back to
mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. 🙂
EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don’t want him/her to have slashes appearing out of nowhere.
Here is Solutions:
We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.
This “feature” is known as
magic_quotes_gpc and does not protect you from all SQL injection attacks (
addslashes is called on every element of the input superglobals such as
$_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.
The official php manual includes a neat way to undo it in php code, but you should just turn it off.
This is due to magic quotes, you should turn it off.
And here is how you turn it off: http://www.php.net/manual/en/security.magicquotes.disabling.php
You do it either via php.ini or by removing slashes from all variables in
$_POST, obviously the former is the recommended way to go.
As Will Martin suggests you can also change it via a
.htaccess like this:
php_flag magic_quotes_gpc off
More info here: http://php.net/manual/en/configuration.changes.php
check http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc option in php.ini
It sounds like your server has magic quotes turned on – you can take a look at
http://www.php.net/manual/en/security.magicquotes.disabling.php for a thorough discussion of ways to disable them.
Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂