phpmysqlmysql-real-escape-stringstripslashesmagic-quotes-gpc

magic-quotes is ON && usage of stripslashes AND mysql-real-escape-string TOGETHER


Possible Duplicate:
How to prevent SQL injection in PHP?

i am on a free php server, I don't have access to php.ini file and magic_quotes is ON. so while I add records into mysql via my form page, my php code is

$_POST["text"]=trim(stripslashes(mysql_real_escape_string($_POST["text"])));

my question:

  1. i want to eliminate magic_quote effect since it'll depreciate&removed AND put potentially malicious user input into mysql in best way. So does my code above correct or do I need change, improvement?

    thanks,

Solution

  • Just stripslashes() is enough to get rid of the magic quotes.

    $text = stripslashes($_POST["text"]); 
    

    See a more complete example of removing magic quotes at runtime: http://php.net/manual/en/security.magicquotes.disabling.php

    You really should get a different PHP server. Magic quotes have been deprecated since PHP 5.3.0 (June 2009). Your PHP hosting site hasn't updated PHP in almost four years, and you're at risk of many other bugs and even security vulnerabilities. It's time for you to move to another host.


    Re your comments:

    Yes, stripslashes just converts the request parameter to plain text.

    As for the question of whether you should use mysql_real_escape_string()...

    First, you should do that only if you are interpolating the value into an SQL query. You aren't necessarily going to do that with every POST value, so it's dumb to apply the escaping to everything.

    By analogy, it'd be like putting your dinner into refrigerator storage containers before you know how much you will eat and how much you will have as leftovers. :-)

    Second, you shouldn't be using the mysql_* functions anymore at all. They are deprecated as of PHP 5.5.0, and they will be removed in a future version of PHP. You should start now using mysqli_* or PDO functions.

    Third, you shouldn't use escaping at all for dynamic values in SQL queries. Instead, use prepared queries with parameters. Parameterized queries are more secure, easier to code, and faster to run than using mysql_real_escape_string().


    Re your next comment:

    No, I don't think you have got it yet.

    If you want to insert $_POST["text"] into an SQL query, and magic quotes is ON, here's what you do:

    // remove the magic quotes simply with stripslashes():
    $text = stripslashes($_POST["text"]);
    
    // prepare an SQL statement, using a ? placeholder instead of interpolated value
    $stmt = $mysqli->prepare("INSERT INTO mytable (mytext) VALUES (?)");
    
    // always check for an error on prepare, you might have made a syntax error, 
    // or the table might not exist, etc.
    if ($stmt === false) {
      die($mysqli->error);
    } 
    
    // bind one PHP variables for each parameter placeholder in the query
    $stmt->bind_param("s", $text);
    
    // then execute!  MySQL will use the values of the PHP variables you bound
    // in place of the placeholders
    $status = $stmt->execute();
    
    // always check for an error on execute too, because the value of the parameter 
    // might cause the query to fail, e.g. conflicting with another value in a 
    // unique column, etc.
    if ($status === false) {
      die($stmt->error);
    }
    

    There is no case where you need to use mysqli_real_escape_string() if you use query parameters.


    If you need more help, here's a tutorial on mysqli with examples showing bound parameters: