On Thu, 9 Aug 2007 00:29:15 -0500 (CDT), Richard Lynch wrote:
Problem #7:
Magic Quotes was designed for the ASCII character set, and is
downright dangerous to use for anything else (Unicode/UTF-8/etc).
...
[Though maybe not, as maybe addslashes can't do any harm to Unicode if
there's no '
I added the code to my script and I still ended up escaped quotes.
if(ini_get('magic_quotes_gpc')) $_POST['data'] =
stripslashes($_POST['data']); Didn't work at all. I think I read something
about it not working on runtime data. Like gpc if this is correct do you
have another solution? I put
On Thu, August 9, 2007 8:23 am, Bastien Koert wrote:
you could use ini_set at the top of the script to turn the magic
quotes off...
No, you could not.
Lonngg before ini_set is called, PHP has *already* applied
the Magic Quotes feature and munged your data.
:-)
--
Some people
-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 11:49 PM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
.htaccess is only meaningful for Apache.
JavaScript is equally useless to Ajax for working around Magic Quotes.
On Wed, August 8
PROTECTED] To: [EMAIL PROTECTED] CC:
php-general@lists.php.net Date: Wed, 8 Aug 2007 23:58:50 -0500 Subject: RE:
[PHP] magic quotes I added the code to my script and I still ended up
escaped quotes. if(ini_get('magic_quotes_gpc')) $_POST['data'] =
stripslashes($_POST['data']); Didn't work at all. I
On 8/9/07, Bastien Koert [EMAIL PROTECTED] wrote:
you could use ini_set at the top of the script to turn the magic quotes
off...if you add this in a prepend file or a common included file that sits
at the top of the script, it should take care of the damn magic quotes...
Why might this not
On 09 August 2007 14:44, David Giragosian wrote:
On 8/9/07, Bastien Koert [EMAIL PROTECTED] wrote:
you could use ini_set at the top of the script to turn the magic
quotes off...if you add this in a prepend file or a common included
file that sits at the top of the script, it should
-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 07, 2007 11:30 PM
To: KVIGOR
Cc: php-general@lists.php.net
Subject: Re: [PHP] magic quotes
On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
If magic quotes is on and I dont have access to the php.ini.
Is there any way I can strip
k3cheese wrote:
Thanks,
Met javascript not ajax. I had AJAX on the brain do to a project I'm working
on. So I'm assuming there is a library of functions to use with the
.htaccess file? Cause it looks like you can use UNIX and PHP to edit this
file?
htaccess files can do lots of things.
Cool,
That's very informative. You guys ROCK!
-Original Message-
From: Chris [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 5:16 PM
To: k3cheese
Cc: [EMAIL PROTECTED]; php-general@lists.php.net
Subject: Re: [PHP] magic quotes
k3cheese wrote:
Thanks,
Met javascript
@lists.php.net
Subject: Re: [PHP] magic quotes
On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
If magic quotes is on and I dont have access to the php.ini.
Is there any way I can strip quotes from the form field with out
using
AJAX?
Best: Use .htaccess to turn magic_quotes off.
Okay: Use something
: Wednesday, August 08, 2007 11:49 PM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
.htaccess is only meaningful for Apache.
JavaScript is equally useless to Ajax for working around Magic Quotes.
On Wed, August 8, 2007 7:55 am, k3cheese wrote:
Thanks,
Met javascript
PROTECTED]'
Cc: 'php-general@lists.php.net'
Subject: RE: [PHP] magic quotes
I added the code to my script and I still ended up escaped quotes.
if(ini_get('magic_quotes_gpc')) $_POST['data'] =
stripslashes($_POST['data']); Didn't work at all. I think I read something
about it not working on runtime
Lynch [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 11:49 PM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
.htaccess is only meaningful for Apache.
JavaScript is equally useless to Ajax for working around Magic Quotes.
On Wed, August 8, 2007 7:55 am
On Thu, August 9, 2007 12:01 am, k3cheese wrote:
I have an example, how using js can instantly remove chars you type.
If I
don't want quotes in the form fields the code in loop removes them.
What's
your take on this?
My take:
Problem #1:
It doesn't work very well for fields that actually
.
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 09, 2007 12:29 AM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
On Thu, August 9, 2007 12:01 am, k3cheese wrote:
I have an example, how using js can instantly remove chars you
On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
If magic quotes is on and I dont have access to the php.ini.
Is there any way I can strip quotes from the form field with out using
AJAX?
Best: Use .htaccess to turn magic_quotes off.
Okay: Use something like if (ini_get('magic_quotes_gpc')) $data
What do people on this list usually do with this kind of problem. To
me, the .htaccess seems the easiest solution, since I don't have to
change any scripts.
Use a .htaccess file, or if performance is any sort of concern, put it
in the server configuration files and turn off .htaccess files.
without having to worry about different .htaccess files for each.
Ta
Steve
-Original Message-
From: Richard Heyes [mailto:[EMAIL PROTECTED]
Sent: 17 July 2007 12:25
To: Phil Princely
Cc: php-general@lists.php.net
Subject: Re: [PHP] magic quotes
What do people on this list usually do
Phil Princely wrote:
What do people on this list usually do with this kind of problem. To
me, the .htaccess seems the easiest solution, since I don't have to
change any scripts.
I would certainly turn it off in php.ini or apache config files if
possible (the .htaccess line should be php_flag
Phil Princely wrote:
thanks for all the help.
My code was wrong in the first post, I just copied it straight from
the web. This one works:
if (get_magic_quotes_gpc()) {
stripslashes_array($_GET);
stripslashes_array($_POST);
stripslashes_array($_REQUEST);
On Tue, July 17, 2007 5:30 am, Phil Princely wrote:
I've been having a problem with a setting on a test server and
production server. My test server has magic_quotes_gpc off, but the
production server has it turned on. I've no access to the php.ini for
the production server and don't want to
different .htaccess files for
each.
Ta
Steve
-Original Message-
From: Richard Heyes [mailto:[EMAIL PROTECTED]
Sent: 17 July 2007 12:25
To: Phil Princely
Cc: php-general@lists.php.net
Subject: Re: [PHP] magic quotes
What do people on this list usually do with this kind of problem
Liz Kim wrote:
I've got all three Magic Quote directives turned off...
When I use sql query to grab any string from a database, it
still spits out the \ in front of the special characters..
Turning off magic quotes doesn't repair the data already in your
database. It sounds like data has
On 2/23/07, Liz Kim [EMAIL PROTECTED] wrote:
I've got all three Magic Quote directives turned off...
When I use sql query to grab any string from a database, it still spits
out
the \ in front of the special characters..
Any ideas?
thanks
What's it look like in the database?
David
On Fri, February 23, 2007 12:04 pm, Liz Kim wrote:
I've got all three Magic Quote directives turned off...
When I use sql query to grab any string from a database, it still
spits out
the \ in front of the special characters..
Here's one possible scenario:
You *USED* to have Magic Quotes GPC
Angelo Zanetti wrote:
Hi guys.
... So on my live server should I enable
magic_quotes_gpc or should I use addslashes() and stripslashes()?
Thanks in advance.
In addition to all the other replies saying that magic quotes are evil
which I completely agree with, it should also be noted that
This one time, at band camp, Angelo Zanetti [EMAIL PROTECTED] wrote:
should I enable magic_quotes_gpc or should I use
addslashes() and stripslashes()?
magic quotes is disabled by default these days, and does not make for portable
code.
It is removed in PHP6
Kevin
--
Democracy is two wolves
IMHO,
it really depends on a couple of things...
1). how you use it
and 2). How much control you want...
If you have a single point of entry for database actions, like a class
that mimics the database structure and handles updates, inserts,
deletes, then it makes sense to turn them off to give
Angelo Zanetti wrote:
So should i avoid magic_quotes_gpc all together?
In my opinion, yes.
my local development server has them enabled and when testing
the input of a textfield that does a select query I input 'hello'
(including single quotes) and it works really well with the
single quotes
At 2:37 PM -0800 4/5/06, Angelo Zanetti wrote:
Hi guys.
I've just read an article that gives a good explanation about
escaping single quote characters with slashes, the author then says
that magic_quotes_gpc can do this for you if enabled on your server,
he then he also mentions how if your
Angelo Zanetti wrote:
Hi guys.
I've just read an article that gives a good explanation about escaping
single quote characters with slashes, the author then says that
magic_quotes_gpc can do this for you if enabled on your server, he then
he also mentions how if your magic_quotes_gpc are not
tedd wrote:
I do it by placing a text file at root named .htaccess with the
following
php_value magic_quotes_gpc 0
php_value magic_quotes_sybase 0
php_value magic_quotes_runtime 0
Only works if your web server allows you to do this. In Apache the
controlling option for this is:
Directory
Hello Lance--
On 8/5/05 2:18 PM, Lance Earl [EMAIL PROTECTED] wrote:
I recently upgraded my server. It is running Ubuntu Linux with PHP and
MySQL. My site allows people to post content to their own web oages
through a web interface. Many of my customers compose their content on a
word
Lance Earl wrote:
I recently upgraded my server. It is running Ubuntu Linux with PHP and
MySQL. My site allows people to post content to their own web oages
through a web interface. Many of my customers compose their content on a
word processer and then cust and paste it to the web interface for
Hi Marco,
Thanks for the help, you gave me a place to start. Before doing what would
amount to a lot of coding to correct this problem throughout my site I
wanted to see if it could be corrected on the server side.
I found the following section in the php.ini file:
; As of 4.0b4, PHP always
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
actually inserting/updating into the database. Whether
Jochem Maas wrote:
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
actually inserting/updating into the
On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
PS phpsc.net seems to be down, or is the domain wrong?
er yes, oops. as Jeffery pointed out it should have been
phpsec.org. had a brainfreeze sorry.
OK, trying to do a function to remove magic quotes from
Ben Edwards (lists) wrote:
On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
PS phpsc.net seems to be down, or is the domain wrong?
er yes, oops. as Jeffery pointed out it should have been
phpsec.org. had a brainfreeze sorry.
OK, trying to do a function to remove
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
actually inserting/updating into the database. Whether
On Thursday 10 February 2005 23:36, Ben Edwards (lists) wrote:
The cleaning works but magic_quotes_runtime is false even if magic
codes are on, any ideas?
There are at least two magic_quotes_* settings, make sure you are
referring to the correct one(s).
--
Jason Wong - Gremlins Associates -
On Wed, 26 Jan 2005 13:07:34 -0800 (PST), Richard Lynch [EMAIL PROTECTED]
wrote:
Ben Edwards wrote:
On Tue, 25 Jan 2005 17:02:21 -0800, Chris [EMAIL PROTECTED]
wrote:
You should probably use get_magic_quotes_runtime() , as _gpc only
applies to GET/POST/COOKIE,
htmlspecialchars is
On Tue, 25 Jan 2005 17:02:21 -0800, Chris [EMAIL PROTECTED] wrote:
You should probably use get_magic_quotes_runtime() , as _gpc only
applies to GET/POST/COOKIE,
htmlspecialchars is needed so the HTML can be parsed properly:
So this is this only done to stuff that is to be displayed on a web
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
-Original Message-
From: Ben Edwards [mailto:[EMAIL PROTECTED]
Sent: 26 January 2005 10:15
On Tue, 25 Jan 2005 17:02:21 -0800, Chris
[EMAIL PROTECTED] wrote:
You
Ben Edwards wrote:
On Tue, 25 Jan 2005 17:02:21 -0800, Chris [EMAIL PROTECTED]
wrote:
You should probably use get_magic_quotes_runtime() , as _gpc only
applies to GET/POST/COOKIE,
htmlspecialchars is needed so the HTML can be parsed properly:
So this is this only done to stuff that is to
It means that you can't set that setting inside a script with ini_set.
Since the earliest opportunity to set it in a script would be after it
would have already done it's job, it won't work.
You must set it before the script runs.
Chris
Ben Edwards wrote:
In the php manual it states
' Keep in
Ben Edwards wrote:
In the php manual it states
' Keep in mind that the setting magic_quotes_gpc will not work at
runtime.'
What douse this actualy mean?
Translation:
If you try to use ini_set to change magic_quotes_gps in your .php script,
here's what happens:
Step 1: Apache/PHP set up
I'm not quite sure I understand you...
The theory behind that function looks sound, but are you meaning to
return the value or pass it by reference and modify it?
Chris
Ben Edwards wrote:
OK. This is really confusing me.
I am using the following function to handle this:
function prep( $text ) {
OK. This is really confusing me.
I am using the following function to handle this:
function prep( $text ) {
echo get_magic_quotes_gpc(). ;
if (get_magic_quotes_gpc()) {
echo mq on for $text;
return $text;
} else {
echo mq off;
return addslashes($text);
}
}
And
Ben Edwards wrote:
OK. This is really confusing me.
I am using the following function to handle this:
function prep( $text ) {
echo get_magic_quotes_gpc(). ;
if (get_magic_quotes_gpc()) {
echo mq on for $text;
return $text;
} else {
echo mq off;
return
PS. How does htmlspecialchars fit into this. The unprep function is
to prepare date coming from the database to be used in input
type=text, douse the below function make sence?
Ben
function unprep( $text ) {
// Take data coming from the database an get it ready to be presented
You should probably use get_magic_quotes_runtime() , as _gpc only
applies to GET/POST/COOKIE,
htmlspecialchars is needed so the HTML can be parsed properly:
if the value in the text box was something like:
Hello World!
when you go to put in the value attribute it would end up:
input type=text
Shaun wrote:
function db_query($query) {
if(!magic_quotes_gpc()){
$qid = mysql_query(addslashes($query));
} else {
$qid = mysql_query($query);
}
return $qid;
}
But this adds too many slashes! Has anyone come to a better solution
regarding this?
I believe you should be
Try
$string = mysql_real_escape_string($string);
On 7 Dec 2004, at 14:12, Shaun wrote:
Hi,
I have been investigating the problem of apostrphes in a mysql insert /
update. I use a db_query function for all my queries:
function db_query($query) {
$qid = mysql_query($query);
return $qid;
}
It
Shaun wrote:
function db_query($query) {
if(!magic_quotes_gpc()){
$qid = mysql_query(addslashes($query));
} else {
$qid = mysql_query($query);
}
return $qid;
}
But this adds too many slashes! Has anyone come to a better solution
regarding this?
Can you give us some
Jeff McKeon wrote:
So now the big question which will undoubtly spark a lot of opinions (I
hope).
We use apache/php/mysql based sites for internal management of our
systems and would now like to give our customers direct access to manage
their accounts via the web. Naturally this raises
On Mon, 2004-12-06 at 12:57, Jeff McKeon wrote:
Does having magic-quotes=on prevent an attacker from using a urlized sql
inject query?
Somewhat, but I think magic_quotes=off is the preferred style since
magic quotes are a big headache for portability. At any rate,
understanding what you are
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Monday, December 06, 2004 1:45 PM
To: Jeff McKeon
Cc: PHP-General
Subject: Re: [PHP] Magic-quotes
On Mon, 2004-12-06 at 12:57, Jeff McKeon wrote:
Does having magic-quotes=on prevent an attacker from
Jeff McKeon wrote:
Does having magic-quotes=on prevent an attacker from using a urlized sql
inject query?
Not likely.
Magic Quotes is a convenience feature, not a security feature.
Magic Quotes is oft-understood, even by journeymen PHP programmers.
Magic Quotes takes all incoming POST/GET
On Mon, 2004-12-06 at 13:47, Jeff McKeon wrote:
Assuming I have no portability needs and have magic_quotes=on, can you
elaborate on somewhat?
Somewhat... till someone comes along and changes your php.ini, or you
transfer your code to another server and forget to enable magic quotes.
At which
* Richard Lynch [EMAIL PROTECTED]:
Jeff McKeon wrote:
Does having magic-quotes=on prevent an attacker from using a urlized sql
inject query?
Not likely.
Magic Quotes is a convenience feature, not a security feature.
Magic Quotes is oft-understood, even by journeymen PHP programmers.
The thing that always kills me is when programmers call stripslashes on
data that comes *OUT* of MySQL. No, no, no, no. Whatever it is you
did,
or think you are doing, or think you are fixing, that's WRONG.
Maybe you called addslashes twice, once with Magic Quotes, and once by
hand and
So now the big question which will undoubtly spark a lot of opinions (I
hope).
We use apache/php/mysql based sites for internal management of our
systems and would now like to give our customers direct access to manage
their accounts via the web. Naturally this raises security concerns.
From
On Mon, 2004-12-06 at 16:22, Jeff McKeon wrote:
So now the big question which will undoubtly spark a lot of opinions (I
hope).
We use apache/php/mysql based sites for internal management of our
systems and would now like to give our customers direct access to manage
their accounts via the
[EMAIL PROTECTED] wrote:
I've continued plowing my way thru the 2nd edition
of PHP and MySQL Web Development by Welling and
Thomson. I've made it to chapter 24, where I've just
read that for this chapter's project I will need to
have switched on magic quotes or use addslashes()
and
Hello,
This is a reply to an e-mail that you wrote on Tue, 22 Jul 2003 at
20:36, lines prefixed by '' were originally written by you.
Hello,
I am running a test server and a live system. both do have the
same
php
version running.
The test system however does not report a db error if I try to
--- Merlin [EMAIL PROTECTED] wrote:
As I learned from php.ini magic quotes are turned off on both systems.
As a first step, make sure the output of phpinfo() agrees with your analysis.
Chris
=
Become a better Web developer with the HTTP Developer's Handbook
http://httphandbook.org/
--
I just found, that one server pulls the data out of the db and leaves the
slashes inside the text, while the other one does not.
both of the phpinfo look same to me. However I might have overlooked
something.
I do use addslashes to escape the characters.
Anny suggestions?
Chris Shiflett [EMAIL
Hello,
This is a reply to an e-mail that you wrote on Tue, 22 Jul 2003 at
20:53, lines prefixed by '' were originally written by you.
I just found, that one server pulls the data out of the db and
leaves
the
slashes inside the text, while the other one does not.
both of the phpinfo look same
-Original Message-
From: Chris Hewitt [mailto:[EMAIL PROTECTED]
Sent: 03 April 2003 09:26
To: Justin French
[snip]
What I have done is to do the addslashes/stripslashes assuming
magic_quotes_runtime is off then force it off within my code
beforehand
with:
if
Ford, Mike [LSS] wrote:
-Original Message-
From: Chris Hewitt [mailto:[EMAIL PROTECTED]
Sent: 03 April 2003 09:26
To: Justin French
[snip]
What I have done is to do the addslashes/stripslashes assuming
magic_quotes_runtime is off then force it off within my code
beforehand
with:
So,
1. turn ON runtime and gpc
No, leave them off if your code runs fine without them. You'll save
resources if you do the addslashes() yourself to only the fields that
need it instead of everything. I see no reason at all to ever have
runtime ON. It will escape data coming _from_ the
That's exactly what magic_quotes_runtime does. It adds slashes to data
at runtime - including data returned from functions such as
mysql_fetch_(assoc/row/array/object).
Justin French wrote:
Hi all,
Can I just have a quick head check on magic quotes runtime (gpc)?
I have them both set to
Justin French wrote:
Hi all,
Can I just have a quick head check on magic quotes runtime (gpc)?
I have them both set to Off currently, and my pages work fine. However,
when I set them to on, I end up with slashes throughout the mysql data.
Is this the expected behaviour? Seems
Hi Philip,
Thanks for taking the time...
$me = confused;
...but rather than attempting to get a grip on the past, I need a solution
for the future :)
So,
1. turn ON runtime and gpc
2. only addslashes() when inserting into the database IF
get_magic_quotes_runtime() is 0 (false)
3. only
On Thu, 3 Apr 2003, Justin French wrote:
Hi all,
Can I just have a quick head check on magic quotes runtime (gpc)?
I have them both set to Off currently, and my pages work fine. However,
when I set them to on, I end up with slashes throughout the mysql data.
This means you essentially
Hi,
Thursday, December 5, 2002, 3:39:20 AM, you wrote:
JTJ What are magic quotes? Will this help me?
JTJ http://news.php.net/article.php?group=php.generalarticle=126934
JTJ How is this different from stripslashes.
JTJ I have RTF doc :)
JTJ
magic_quotes_gpc is simple, it essentially runs
addslashes on all GET, POST and COOKIE data.
That's it.
http://www.php.net/ref.info#ini.magic-quotes-gpc
http://www.php.net/addslashes
http://www.php.net/variables.external
Not sure about your problem, maybe someone else can
help.
Regards,
On Thursday 14 November 2002 03:06, Paul Kaiser wrote:
Greetings,
Is there a performance penalty for having
magic_quotes_runtime
turned on all the time?
According to the notes in php.ini, magic_quotes_gpc is now disabled by default
because of performance reasons. So I suppose the same
Unless I'm even more confused than usual about something I've long believed
to be true...
MagicQuotes does not ever strip slashes.
MagicQuotes does an addslashes before the data gets into the database.
Are you viewing the same record all the time, or is it possible that one of
your records has
Richard,
It's the same record every time that shows the different behavior. The code
is extremely straightforward, just retrieve the record and display it. And,
I've got other scripts on the same host that also display this behavior
intermittantly.
MagicQuotes is turned on. And, it typically
83 matches
Mail list logo
