0

I was using php 5.2 earlier. Now I want to upgrade php 5.4. Magic quotes are removed now. I want to make my application work properly. Which function I should use for escaping data mysql_real_escape_string() or addslashes() ?

Which function from the above will give the same results as of magic_quotes_gpc setting??

Tanu Gupta
  • 602
  • 1
  • 11
  • 26
  • 1
    It depends on the database layer your application is using. There is *one* proper escaping function for each database library. – Pekka Jun 19 '13 at 07:32
  • Does your application rely on `magic_quotes_gpc`? which is a very bad idea. – xdazz Jun 19 '13 at 07:34
  • 1
    Yes xdazz. It is. It is very old application and I have to make it work. – Tanu Gupta Jun 19 '13 at 07:37
  • @Pekka, I am not using any database layer as it is very old application and I am using mysql functions. – Tanu Gupta Jun 19 '13 at 07:38
  • 1
    @TanuGupta: So your database layer is [`mysql_*`](http://www.php.net/manual/en/book.mysql.php) then – Eric Jun 19 '13 at 07:49
  • @Eric: Yes, we are using mysql_* functions for mysql interaction. – Tanu Gupta Jun 19 '13 at 09:03
  • `mysql_real_escape_string()` is better than `addslashes()`, which filters more illegal characters. If you are handling legacy code, you can use [php-magic-quotes](https://github.com/yidas/php-magic-quotes) to implement `magic_quotes_gpc`. – Nick Tsai Jun 28 '17 at 03:52

5 Answers5

2

It's always best to migrate to PDO and prepared statements as outlined by @alex above.

If that isn't feasible, absolutely escape incoming string data with mysql_real_escape_string(), and validate integer data, e.g. using filter_input() as shown in this answer.

addslashes() is not a suitable escaping method for mySQL queries.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • I just want a function which can give me the same results as I get when magic_quotes_gpc setting is on. I can not modify my db layer. I just want a quick solution which just serves the purpose and helps me making my application work properly. I think addslashes() is solving the purpose because it escapes single quote ('), double quote ("), backslash (\) and NUL (the NULL byte) just like magic quotes do. – Tanu Gupta Jun 19 '13 at 12:00
  • `addslashes()` is not enough to secure incoming data; it is not a 100% perfect protection. `mysql_real_escape_string()` is the way to go. It's just a different choice of functions, isn't it? – Pekka Jun 19 '13 at 12:06
  • Actually I just need an alternative which is closer to magic_quotes_gpc. mysql_real_escape_string() escapes \x00, \n, \r, \, ', " and \x1a. I would need to make my application tested thoroughly if I use mysql_real_escape_string() and its a big application and I want to reduce my testing effort. Suggestions?? – Tanu Gupta Jun 19 '13 at 12:24
  • @Tanu those characters will be escaped only for the duration of the query; the slashes will not be in the final data. I don't see how this would need extensive testing. – Pekka Jun 19 '13 at 12:27
  • As I said its very old application, I have some scripts where I get the data from db and remove escape character using some custom/ pre-defined functions. – Tanu Gupta Jun 19 '13 at 12:32
1

Its better to use prepared statements as suggested here for security reasons. Mysql_real_escape_string might not be suffiecient to prevent sql injection e.g. because multibyte character sets can be abused despite the escape function ().mysql_real_escape_string() versus Prepared Statements.

Prepared statements in PHP can be used like this:

  $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
  $stmt->bindParam(1, $name);
  $stmt->bindParam(2, $value);

More information on prepared statements in PHP. So in conclusion, if you have the possibility to change your application to prepared statements, that would be the best way to handle.

UPDATE (totally not recommended)

If you really want to keep the state, use addslashes() for every $GET and $POST variable. It does the same manually what magic_quotes switched on did with all $GET and $POST variables. But i really guess its less work to use mysqli with mysqli_real_escape_string or better, prepared statements :)

http://php.net/manual/de/function.addslashes.php

Community
  • 1
  • 1
alex
  • 5,516
  • 2
  • 36
  • 60
  • It is old application alex. and I am not using PDO in this application. I just have to make it work until I upgrade to some db layer. – Tanu Gupta Jun 19 '13 at 07:40
  • The is it possible for you to use mysqli http://www.php.net/manual/en/mysqli.real-escape-string.php ? It keeps the charset issue in mind. – alex Jun 19 '13 at 07:43
  • Thanks alex. Cant modify the code at this level as its a big application. just need a quick solution which can give me the same output what magic_quotes_gpc setting gives. – Tanu Gupta Jun 19 '13 at 09:37
1

Because I can not introduce db layer on my application and I want a quick solution, I used addslashes() function because addslashes() escapes single quote ('), double quote ("), backslash () and NUL (the NULL byte) exactly what magic quotes escape.

Code:

    foreach (array('_COOKIE','_GET', '_POST') as $_SG) {
            foreach ($$_SG as $_SGK => $_SGV) {
                    $$_SGK = smartQuotes($_SGV);
            }
    }


    function smartQuotes($value)
    {
            if( is_array($value) ) {
                    return array_map("smartQuotes", $value);
            } else {
                    if( $value == '' ) {
                            $value = 'NULL';
                    } if( !is_numeric($value)) {
                            $value = addslashes($value);
                    }
                    return $value;
            }
    }
Tanu Gupta
  • 602
  • 1
  • 11
  • 26
  • This will leave your application vulnerable under certain circumstances: [Examples of SQL Injections through addslashes()?](http://stackoverflow.com/q/860954) – Pekka Jun 19 '13 at 12:26
  • True. Until I upgrade to PDO, its a quick fix for me. – Tanu Gupta Jun 19 '13 at 12:27
  • `$$_SGK = smartQuotes($_SGV);` not only adds slashes, but also assigns the value to a global variable instead of $_GET,$_POST etc, ... like 'register_globals' used to do 10 years ago. Use `${$_SG}[$_SGK] = smartQuotes($_SGV);` instead to change the gpc globals. – commonpike Jun 27 '16 at 13:05
  • .. dont forget $_REQUEST (if you would change values in place) – commonpike Jun 27 '16 at 13:07
0

addslashes() gives the same results as of magic_quotes_gpc setting referring from Magic Quotes.

When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.

Use magic_quotes_gpc on PHP 5.4 above

If you still want run magic_quotes_gpc on PHP 5.4 or higher version for your legacy code, you can use yidas/magic-quotes:

https://github.com/yidas/php-magic-quotes

Nick Tsai
  • 3,799
  • 33
  • 36
0

We need to addslashes in Request, Post, Get & cookie. You can achieve it below code. Included below code in your common file . 

$la_magicQuotes = array('_REQUEST','_POST', '_GET','_COOKIE');
  foreach($la_magicQuotes as $la_superGlobal )
  { 
    if($$la_superGlobal && is_array($$la_superGlobal))    
      array_walk($$la_superGlobal, 'pr_addslashed_array');
  }


function pr_addslashed_array(&$la_val,$lc_key) 
{  
  if (is_array($la_val))
    array_walk($la_val,'pr_addslashed_array');
  else
    $la_val = pr_addslashed($la_val);   
}

function pr_addslashed($lc_string)
{
  return $lc_string = addslashes($lc_string);   
}
pilathraj
  • 59
  • 6