0

Is it still relevant to use get_magic_quotes_gpc to prevent database attacks? I wanted to strip the extra slashes if magic quotes was enabled. 

if(get_magic_quotes_gpc()){
    If magic quotes is enabled, strip the extra slashes
    array_walk_recursive($_GET,create_function('&$v,$k','$v = stripslashes($v);'));
    array_walk_recursive($_POST,create_function('&$v,$k','$v = stripslashes($v);'));
}

I looked at the php manual and saw that it was deprecated. I am unsure of what alternatives I could use or if there may be a tweak I am unaware of. For I am still new to programming and learning different coding techniques. Any tips would be greatly appreciated

NullUserException
  • 83,810
  • 28
  • 209
  • 234
Octavius
  • 583
  • 5
  • 19
  • 4
    You should really be using parameterized queries: http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php – Jordan Kaye Oct 05 '12 at 17:54
  • SO should just automate posts regarding use of PDO when it comes to php mysql_ questions. – ficuscr Oct 05 '12 at 17:56

1 Answers1

1

Use this

function mysql_prep($value)
{
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists("mysql_real_escape_string");
    if ($new_enough_php) { 
        // undo any magic quote effects so mysql_real_escape_string can do the work
        if ($magic_quotes_active) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    } else { 
        // if magic quotes aren't already on then add slashes manually
        if (!$magic_quotes_active) {
            $value = addslashes($value);
        }
        // if magic quotes are active, then the slashes already exist
    }
    return ($value);
}

I will suggest you to pdo prepared statement

$q=$pdo->prepare("query where id=:id");
$q->execute(array(":id"=>1))
StaticVariable
  • 5,253
  • 4
  • 23
  • 45