5

I've never programmed in an environment with magic quotes turned on before. Now I'm working on a project where it is. This is how I've been setting up user accepted data situations:

$first_name = $_POST['first_name']
if(!get_magic_quotes_gpc()) {
    $first_name = mysql_real_escape_string($first_name);
}

With that filtering, am I still open for SQL injection attacks when magic quotes is enabled?

I'm really only concerned about any kind of SQL injection that will break my queries... Other whitelisting, htmlspecialchar() -ing etc. is in place for other areas.

Looking at some similar SO questions it seems that it's being advised to instead check for magic quotes, run 'stripslashes' on the data if it IS turned on, and then always run the escape function. I'm a little apprehensive to do it this way though because all of the existing code in the site assumes it's on.

Thanks!

coopertrooper
  • 155
  • 1
  • 4
  • 1
    `magic_quotes`-setting => `addslashes()` != `mysql_escape`. That are two different things. Read php.net/security.magicquotes.what – KingCrunch May 22 '11 at 22:02
  • 4
    I'm disappointed by the downvote on this question; the votes are intended to be for the quality of the _question_, not the merits of a coding mechanism _in_ the question. An _answer_ that recommends turning on Magic Quotes probably deserves a downvote, but this question was well-asked, and the poor guy needs help safely using code that should probably be replaced wholesale (if we lived in a perfect world...) – sarnold May 22 '11 at 22:11

2 Answers2

1

Working with a legacy system can be a real PITA - especially with something like PHP which let some pretty egregious insecure code be written in the bad old days.

I think you've actually already answered part of your question:

Looking at some similar SO questions it seems that it's being advised to instead check for magic quotes, run 'stripslashes' on the data if it IS turned on, and then always run the escape function. I'm a little apprehensive to do it this way though because all of the existing code in the site assumes it's on.

I would also try and initiate a code review - find all places where use data is being written or used in database queries, and then replace with the more secure escaping. Eventually, you'll replace all of those squirrelly queries, and be able to turn magic quotes off for good.

HorusKol
  • 8,375
  • 10
  • 51
  • 92
0

If you use mysql_real_escape_string (correctly) there is no risk of SQL injection. That doesn't mean the input will be ok. If your magic quotes settings or any other stuff is set incorrectly, your variable may contain an incorrect value. It is still safe however.

GolezTrol
  • 114,394
  • 18
  • 182
  • 210