When I escape all the input, sometimes It leaves slashes (\) in the string and inserts it to database. Why does it happen and how can I solve this?

Question

I have found stripslashes function but I would rather find where I am adding more slashes than I should. My functions use mysql_real_escape_string once for each variable and I am querying database using "insert into foo(bar,bar) values($baz,$baz)" maybe this is the problem.

phpinfo gives

 magic_quotes_gpc           On  On 
 magic_quotes_runtime   Off Off
 magic_quotes_sybase            Off Off

static function insert($replyto,$memberid,$postid,$comment)
{
    $message=array();
    $lenmax=1000;
    $lenmin=5;

    $toolong="comment is too long.";
    $tooshort="comment is too short.";
    $notarget="replied comment is deleted";
    $nomember="you are not a member";
    $notpost="commented post is deleted";

    switch(true)
    {
    case strlen($comment)<$lenmin: $message[]= $tooshort; break;
    case strlen($comment)>$lenmax: $message[]=$toolong; break; 
    case $replyto!=NULL && !commentexists($replyto): $message[]=$notarget; break;
    case !memberexists($memberid): $message[]=$nomember; break;
    case !postexists($postid): $message[]=$nopost; break;
    case count($message)>0:return $message; break;
    }

    $replyto=mysql_real_escape_string($replyto);
    $memberid=mysql_real_escape_string($memberid);
    $postid=mysql_real_escape_string($postid);
    $comment=mysql_real_escape_string($comment);
    if($replyto==NULL)
    mysql_query("insert into fe_comment(memberid,postid,comment) values($memberid,$postid,'$comment')");
    else
    mysql_query("insert into fe_comment(replyto,memberid,postid,comment) values($replyto,$memberid,$postid,'$comment')");
}

my hosting firm has magic_quotes_gpc on and I don't have access to php.ini file I am using plesk panel to configure things.

php documentation says

An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.

My insert queries are inserted with slashes in the database and My php version is 5.2.3

documentation also says

If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

So I am checking if I escaped values twice I am not able to find anywhere I escaped the values twice. now I am using

$comment=mysql_real_escape_string(stripslashes($comment));

but I think it shouldn't become a standard in my codes because it doesn't look like "the right way" even though it saves the day.

magic_quotes_gpc automaticly escapes all and also is not reliable because it is deprecated.

so I have created a .htaccess file and copied it into all directories I have an index.php file, .htaccess files have this text only

php_flag magic_quotes_gpc Off

I ran phpinfo and it still gives

magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

now I need a way to disable the magic quotes gpc and I have no access to the php.ini file. I am looking for the ways to edit .htaccess files now.

You need to include actual code for us to be able help. – chx Nov 14 '11 at 01:18 — chx, Nov 14 '11 at 01:18
Magic quotes are deprecated. Why do you still have them on? – NullUserException Nov 14 '11 at 01:26 — NullUserException, Nov 14 '11 at 01:26
my hosting firm keeps them on I guess. – Uğur Gümüşhan Nov 14 '11 at 01:27 — Uğur Gümüşhan, Nov 14 '11 at 01:27

score 0 · Answer 1 · answered Nov 14 '11 at 01:44

0

Various ways of disabling magic quotes are provided in the php documentation. Failing that it provides a way of removing the slashes recursively from all of your request variables.

answered Nov 14 '11 at 01:44

David Gallagher

723
4
8

documentation says: The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option. I already said I don't have access to php.ini file. – Uğur Gümüşhan Nov 14 '11 at 01:51
That's true that you cannot disable magic quotes at run time but you can disable them by creating a .htaccess file and sometimes a local php.ini file. As I mentioned, the documentation also provides a good example for removing the escape sequences at run time if they cannot be disabled. – David Gallagher Nov 14 '11 at 01:54
I have created a .htaccess file and copied it into all directories I have an index.php file, .htaccess files have this text only php_flag magic_quotes_gpc Off I ran phpinfo and it still gives magic_quotes_gpc On On magic_quotes_runtime Off Off magic_quotes_sybase Off Off – Uğur Gümüşhan Nov 14 '11 at 02:08
In your phpinfo what does it say for "Server API"? – David Gallagher Nov 14 '11 at 02:12
plesk panel allows me to change it, If you have an idea, I can change it to an appropriate one for convenience. – Uğur Gümüşhan Nov 14 '11 at 02:21
Ok. The .htaccess method doesn't work in CGI mode. I would first try to create a local php.ini file. This might not be setup or you might not be able to find the correct location to put the local file so if that fails you could try setting your Server API to Apache Module/mod_php/dso, however you may run into other problems in this mode. If that fails ask your host to disable it as they usually will. Otherwise you will have to use something like the second example on the documentation link i provided. In that case I might want to consider moving to a more up to date host. – David Gallagher Nov 14 '11 at 02:38

score 0 · Accepted Answer · edited May 23 '17 at 12:29

I think it shouldn't become a standard in my codes because it doesn't look like "the right way"

You are right.
magic quotes stuff has nothing to do with sql stuff and shouldn't be connected to it.
Because magic quotes is a site-wide problem and sql escaping is sql only related problem.

So, they need different treatment an should be never used in conjunction.

You have to get rid of magic quotes unconditionally, because it spoiling not only SQL stuff but every data manipulation of your site.

So, it would be wise to put some stripslashes code in whatever bootstrap file to be run on every call of the script. The code you can find in numerous implementations of such a code, just google for the 'stripslashes_deep' function.

It would be wise to have this code always run (of course under the condition checking get_magic_quotes_gpc()) despite of the actual state of magic quotes, just for sake of compatibility.

But there is another possibility to turn them off: try to create a php.ini file in the root of your application.

However, there is a grave mistake in your code. In fact, it doesn't protect anything.
You are escaping $memberid and $postid but don't quote them!. Thus, there is no protection at all. Just because escaping works only when used with quoting.

Please, remember:

Escaping is not a synonym for security!

Escaping alone can help nothing. There is a whole set of rules to be followed.

I wrote a decent explanation recently, so, I wouldn't repeat myself: Replacing mysql_* functions with PDO and prepared statements

When I escape all the input, sometimes It leaves slashes (\) in the string and inserts it to database. Why does it happen and how can I solve this?

2 Answers2

Escaping is not a synonym for security!

Linked