-1

First of all, I understand that magic_quotes causes all kinds of problems and has no place in modern PHP. I'm in a very specific situation where I've upgraded XAMPP from PHP 5 to PHP 7.4 for an intranet site comprised of more than 5000 files. Suddenly, all kinds of SQL INSERT queries are breaking when the user-generated string has single or double quotes in it. It's in no way feasible for me to go through and wrap every variable across these 5000 files with the add_slashes function, so I need to come up with some way to globally apply the same logic that magic_quotes did. Any suggestions?

kdsprogrammer
  • 136
  • 1
  • 13

1 Answers1

0

You really need to update this application How can I prevent SQL injection in PHP?. However, I am pretty sure that's not going to happen. So, in a header file or one that is included before any database operation (auto_prepend_file maybe), just map the superglobals to addslashes. You can add $_COOKIE if needed:

$_POST = array_map('addslashes', $_POST);
$_GET  = array_map('addslashes', $_GET);

Obviously this won't handle multidimensional arrays so you'll have to use a recursive function:

function addslashes_recursive($v) {
    $v = is_array($v) ? array_map('addslashes_recursive', $v) : addslashes($v);    
    return $v;
}

$_POST = addslashes_recursive($_POST);
$_GET  = addslashes_recursive($_GET);
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • This works, thank you. This is definitely a stop gap, we're rebuilding the whole thing in Laravel within the next year. This is also completely internal to their company, so I'm not worried about malicious SQL injection. – kdsprogrammer Jun 01 '21 at 15:54