5

My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.

<?php

echo $_GET["escaped"];

?>

<form method="get">
    <input type="text" name="escaped" />
</form>

This outputs, if I enter for instance escape 'this test', escape \'this test\'. Same goes if I use POST instead of GET.

Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?

Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that's even possible!) and go back to mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. :)

EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don't want him/her to have slashes appearing out of nowhere.

hakre
  • 193,403
  • 52
  • 435
  • 836
Lazlo
  • 8,518
  • 14
  • 77
  • 116
  • It should also be noted, that if your `php.ini` file contains a syntax error, the default is to enable `magic_quotes_gpc`. So if you think you've disabled `magic_quotes_gpc` in your configuration file, it's possible the file could contain an error preventing your configuration from being applied. Personal experience. :P – Joshua Burns Apr 29 '13 at 15:05

4 Answers4

12

This "feature" is known as magic_quotes_gpc and does not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.

The official php manual includes a neat way to undo it in php code, but you should just turn it off.

phihag
  • 278,196
  • 72
  • 453
  • 469
  • The "neat" way of undoing it is slow, it's O(n), not too bad but can still cause problems with huge input. – Nicklas A. Jul 10 '11 at 18:16
  • @Nicklas A. It may be slow, but on first sight, this seems to be the fastest possible way to undo magic quotes. Could you elaborate on how this code could be improved? And if `n` is the size of the whole POST body, *any* algorithm undoing a text encoding on it will take O(n), won't it? – phihag Jul 10 '11 at 18:19
  • No, of course there is no other solution. I merely meant that modifying the php.ini is a far better solution :) – Nicklas A. Jul 10 '11 at 18:25
  • And yes, the algorithm would be Ω(n) – Nicklas A. Jul 10 '11 at 18:27
  • @Lazlo Bonin Don't forget to reload apache afterwards. After that, check the output of phpinfo - you may have modified the CLI `php.ini` instead of the apache one. Also, check with a trivial php script (` – phihag Jul 10 '11 at 18:36
6

This is due to magic quotes, you should turn it off.

And here is how you turn it off: http://www.php.net/manual/en/security.magicquotes.disabling.php

You do it either via php.ini or by removing slashes from all variables in $_GET and $_POST, obviously the former is the recommended way to go.

As Will Martin suggests you can also change it via a .htaccess like this:

php_flag magic_quotes_gpc off

More info here: http://php.net/manual/en/configuration.changes.php

Nicklas A.
  • 6,501
  • 7
  • 40
  • 65
  • Will accept when S/O lets me. Never figured such a crazy "feature" could exist. Asked my admin to disable it, because sadly, ini_set won't work. Grr. – Lazlo Jul 10 '11 at 18:16
  • ini_set only works on stuff that happens after the script has been parsed and sadly the escaping happens before. Magic quotes are evil and only causes problem, never solves them. Especially as people might rely on them for stuff. – Nicklas A. Jul 10 '11 at 18:24
  • 2
    You can disable it using .htaccess - that happens before the page is parsed. `php_flag magic_quotes_gpc Off` in your .htaccess. – Will Martin Jul 10 '11 at 18:55
1

check http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc option in php.ini

Greenisha
  • 1,417
  • 10
  • 14
1

It sounds like your server has magic quotes turned on - you can take a look at http://www.php.net/manual/en/security.magicquotes.disabling.php for a thorough discussion of ways to disable them.

Sam Dufel
  • 17,560
  • 3
  • 48
  • 51