Stack Overflow
Stack Overflow

Questions tagged [magic-quotes]

A security process that automatically escapes incoming data to the PHP script.

A security process that automatically escapes incoming data to the PHP script. In summary, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically.

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

60 questions
23
votes
12 answers

Magic quotes in PHP

According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data: if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST['lastname']); } else { $lastname =…
VirtuosiMedia
  • 52,016
  • 21
  • 93
  • 140
10
votes
3 answers

What are magic quotes runtime in PHP?

I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime? From php.ini: Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. Is is…
AlexV
  • 22,658
  • 18
  • 85
  • 122
9
votes
5 answers

How can I disable PHP magic quotes at runtime?

I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP…
Adam Acheron
  • 93
  • 1
  • 1
  • 4
7
votes
3 answers

Escaping quotes in SQL

According to php.net I should use mysql_real_escape_string() and turn off magic quotes, because it's deprecated. So I turned it off and I used mysql_real_escape_string(), but is it enough to use it just like in the following code? $value = "It's…
Adam Halasz
  • 57,421
  • 66
  • 149
  • 213
7
votes
2 answers

PHP: how to (correctly) remove escaped quotes in arrays when Magic Quotes are ON

As you know when Magic Quotes are ON, single quotes are escaped in values and also in keys. Most solutions to remove Magic Quotes at runtime only unescape values, not keys. I'm seeking a solution that will unescape keys and values... I found out on…
AlexV
  • 22,658
  • 18
  • 85
  • 122
5
votes
4 answers

PHP 5.3 automatically escapes $_GET/$_POST from form strings?

My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is…
Lazlo
  • 8,518
  • 14
  • 77
  • 116
5
votes
2 answers

PHP Magic Quotes Question

I've never programmed in an environment with magic quotes turned on before. Now I'm working on a project where it is. This is how I've been setting up user accepted data situations: $first_name = $_POST['first_name'] if(!get_magic_quotes_gpc()) { …
coopertrooper
  • 155
  • 1
  • 4
5
votes
1 answer

Although magic_quotes are turned off still escaped strings?

I disabled magic_quotes in my php.ini. But I still get escaped strings in my form. Note: I'm running this in a theme in Wordpress.
Sebastian Hoitz
  • 9,343
  • 13
  • 61
  • 77
5
votes
3 answers

Mysql Real Escape String PHP Function Adding "\" to My Field Entry

I am submitting a form to my MySQL database using PHP. I am sending the form data through the mysql_real_escape_string($content) function. When the entry shows up in my database (checking in phpMyAdmin) all of my double quotes and single quotes are…
Howard Zoopaloopa
  • 3,798
  • 14
  • 48
  • 87
4
votes
5 answers

Understanding input escaping in PHP

One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection. Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the…
Philip Morton
  • 129,733
  • 38
  • 88
  • 97
4
votes
1 answer

Why Magic Quotes has been removed from PHP 5.4?

What are the technical reasons that Magic Quotes has been removed from PHP 5.4 ? From PHP docs Performance Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data.…
Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
3
votes
2 answers

Do i have to disable magic quotes when using PDO

Simple question and i want simple answer. I'm using PDO prepared statements to make sure my data are safely processed to the database. But im confused. Do i have to disable magic quotes or use stripslashes on variables if magic_quotes are enabled.…
aygeta
  • 429
  • 3
  • 7
  • 17
3
votes
2 answers

Questions switching to PDO from mysql_query

I am switching to PDO from traditional mysql_query() parameterized queries to make use of it's security advantages and I have a few questions. First off, does anything need to be done as far as magic_quotes? This web app will be installed on systems…
RANGER
  • 1,643
  • 2
  • 17
  • 31
3
votes
3 answers

PHP magic_quotes_gpc vulnerability

I've been assigned to one of my company's legacy webapps, and after a day or two of poking around the source, I've found an SQL injection vector similar to the following: mysql_query("SELECT * FROM foo WHERE bar='" . $_GET['baz'] . "'"); I've tried…
James K.
  • 31
  • 1
  • 2
3
votes
2 answers

Magic quotes on older and new versions of PHP

this code is supposed to ensure that clean code gets to the database it is supposed to work in earlier versions of PHP (earlier than 4.3.0) and later versions of php (older than 4.3.0) it works well because the data gets to the database without a…
Gatura
  • 605
  • 2
  • 8
  • 15
1
2 3 4