1

If I have magic_quotes switched on and I use mysql_real_escape_string, will the string be double escaped? Will it cause problems?

I assume so based on the get_magic_quotes() function but just seeking confirmation.

(P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment)

alex
  • 479,566
  • 201
  • 878
  • 984
sjw
  • 2,603
  • 5
  • 22
  • 20

4 Answers4

4

Read the documentation of mysql_real_escape_string (I hope this is not difficult as well):

Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

Felix Kling
  • 795,719
  • 175
  • 1,089
  • 1,143
  • If i read the documentation then you wouldn't have anyone to belittle in these forums to make you feel better about yourself... – sjw Apr 22 '10 at 06:25
  • @Col. Shrapnel - Well, perhaps by proxy. I just upvoted your comment. – Tim Post Apr 22 '10 at 06:33
  • You guys are pathetic! You all stick together and belittle anyone who isn't as educated as you are!!! Perhaps try helping people instead of scoffing at their questions and you won't have to "downvote" their comments! – sjw Apr 22 '10 at 06:45
  • To be quite honest, you are only fanning the flames @hairdresser-101. The suggestion to read the docs on the topic is a legitmate peice of advice to give to someone. The jab about the difficulty of doing such was probably unneccesary though @Felix ;) – gnarf Apr 22 '10 at 07:32
  • @gnarf: You are probably right. But some people spend the same amount of time (10-15 min) to give really good answers (this one is not one of them ;)) And honestly, 10 minutes to test something is not that much. I had probably needed the same amount of time. The question itself is ok (despite that it can be answered by reading the documentation), I just think the last sentence is unnecessary and considering how (s)he dealt with his last questions I could not restrain to do such a remark. Please forgive me :) – Felix Kling Apr 22 '10 at 08:38
3

If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied to it, so passing it through mysql_real_escape_string() will in fact, double quote.

To strip em:

if (get_magic_quotes_gpc())
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
    ini_set('magic_quotes_gpc', 0);
}

This question has some other options for stripping quotes / dealing with the horrible magic_quotes_gpc PHP 'feature'.

Community
  • 1
  • 1
gnarf
  • 105,192
  • 25
  • 127
  • 161
  • why not to use usual array_map_recursive? – Your Common Sense Apr 22 '10 at 06:18
  • I know nothing about slashes... I only found out what magic_quotes were about 15 minutes ago... I'm trying to understand everything a bit more... – sjw Apr 22 '10 at 06:26
  • @col. Shrapnel - I believe the ini_set will ensure no other libs detect/unslash that it is set. And the array_walk_recursive won't unmunge key names either (which magic quotes will mess with) – gnarf Apr 22 '10 at 06:56
  • @hairdresser-101 - try looking up sql injections to see why php (wrongly) thought to escape all input by default. – gnarf Apr 22 '10 at 06:59
  • 1
    Since we're using the `JSON_HEX_APOS` constant this solution is only compatible with PHP 5.3 and above, see this question (http://stackoverflow.com/questions/2077711/php-shorter-magic-quotes-solution) for more info. – Alix Axel May 19 '10 at 05:44
1

Of course, the easiest way is to turn magic_quotes off.
wuth usual PHP/Apache config, this line

php_flag magic_quotes_gpc 0

in the .htaccess file will do the thing.

but for the compatibility purpose, a function can be used in some config file too.

if ( get_magic_quotes_gpc( ) ) {
  $_GET = array_map_recursive('stripslashes', $_GET) ;
  $_POST = array_map_recursive('stripslashes', $_POST) ;
  $_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
  $_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
  if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']); 
  if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}

one of the easiest

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped?

Yes, it will but you could do something like this though:

if (get_magic_quotes_gpc())
{
  $escaped = stripslashes($your_vars);
}

Note: You can disable the magic quotes from PHP.ini or use the below function to override it:

// no more magic quotes
function get_magic_quotes_gpc()
{ 
  return false;
}
Sarfraz
  • 377,238
  • 77
  • 533
  • 578
  • @Col. Shrapnel: That will override the default function, so `get_magic_quotes_gpc()` won't do what it does. – Sarfraz Apr 22 '10 at 07:11