1

My Magic_Quotes has always been on and only today I've seen it's becoming depriciated. If I have it off could I just escape all user input (whether it's being used in my database or not). I definitely can't go back and rewrite all my database queries to use mysql_real_escape_string().

Could I just loop through all my $_GET, $_POST and $_SESSION and apply mysql_real_escape_string() ?

rook
  • 66,304
  • 38
  • 162
  • 239
Juddling
  • 4,594
  • 8
  • 34
  • 40

4 Answers4

3

mysql_real_escape_string and magic_quotes_gpc are two different things. Magic quotes does not render your input safe enough for SQL queries.

Whether you like it or not, you should convert all your database queries to use a proper escaping mechanism, or you otherwise leave your application open to security issues like SQL injection.

You can't really apply mysql_real_escape_string directly on $_GET, $_POST, etc. because it might mess up your input data if you need it for anything else than SQL (like form validation and such).

netcoder
  • 66,435
  • 19
  • 125
  • 142
  • In my case, it would probably be easier to fix the things it messes up rather than go back and recode thousand of queries. – Juddling Nov 23 '10 at 19:08
  • How will you know what's broken. The only safe solution has EVER been to make sure every query is properly escape. – Hamish Nov 23 '10 at 19:17
2

Turn it off. The pain of recoding by hand, case by case, pales compared to the agony of being hacked.

DampeS8N
  • 3,621
  • 17
  • 20
1

See here click

This is the method I use. If you are using case method switch, simply connect the index.php file. second method, you need to add to each page.

  1. index.php?page=home
  2. index.php?page=two ...

SECOND METHOD ADD CODE PER PAGE

  1. index.php
  2. contact.php
  3. product.php ....

Recommended : simple page query case / switch

// Magic Quotes Fix
if (ini_get('magic_quotes_gpc')) {
    function clean($data) {
        if (is_array($data)) {
            foreach ($data as $key => $value) {
                $data[clean($key)] = clean($value);
            }
        } else {
            $data = stripslashes($data);
        }

        return $data;
    }           

    $_GET = clean($_GET);
    $_POST = clean($_POST);
    $_REQUEST = clean($_REQUEST);
    $_COOKIE = clean($_COOKIE);
}
Community
  • 1
  • 1
Semu
  • 44
  • 3
0

Yes, you can, but don't forget that you can also send arrays via GPC. ?var[1]=data. It should be noted that magic_quotes_gpc was removed for a damn good reason and I bet many beers that your application is highly vulnerable to sql injection. 

if (!get_magic_quotes_gpc()) {
    function my_escape(&$value, $key) {$value = mysql_real_escape_string($value);}
    $gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    array_walk_recursive($gpc, 'my_escape');
}
rook
  • 66,304
  • 38
  • 162
  • 239
  • Escaping all the globals for MySQL use may not be appropriate. – bcosca Nov 23 '10 at 19:05
  • @stillstanding yep, and it won't stop all sql injection. – rook Nov 23 '10 at 19:06
  • Why wouldn't it stop an attack? – Juddling Nov 23 '10 at 19:09
  • @Juddling Many many reasons. 2 most common, you aren't using quote marks around the variable in your query, or you use a decode function like urldecode() base64_decode() html_entity_decode() or even substring(). In short, this is the worst way to attempt to defend against sql injection. If you do go with that code i posted, you should sign up for a free vulnerability scanning service like http://sitewat.ch, it will be able find the gaps. – rook Nov 23 '10 at 19:13