Re: [PHP] magic quotes
On Thu, 9 Aug 2007 00:29:15 -0500 (CDT), Richard Lynch wrote: Problem #7: Magic Quotes was designed for the ASCII character set, and is downright dangerous to use for anything else (Unicode/UTF-8/etc). ... [Though maybe not, as maybe addslashes can't do any harm to Unicode if there's no ' nor \ to escape... You'd have to ask a Unicode geek. But they'd tell you to just turn off the Magic Quotes and be done with it anyway.] UTF-8 was designed to avoid collision with ASCII. Code points above U+7f only contain octets in the range 0x80 to 0xff, so magic quotes should work just fine for UTF-8 (if magic quotes can be said to work fine at all). The situation is different when it comes to UTF-16 and -32, where magic quotes could insert octets inside code units. Example: U+0100 (A with macron) is 01 00 in UTF-16BE which addslashes() turns into 01 5c 00 --. - - - I mention addslashes() in the example because I don't know how to provoke a browser to make a form submission in UTF-16. Has anyone ever seen a form submission using anything other than UTF-8 or one of the extended ASCII encodings? /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
I added the code to my script and I still ended up escaped quotes. if(ini_get('magic_quotes_gpc')) $_POST['data'] = stripslashes($_POST['data']); Didn't work at all. I think I read something about it not working on runtime data. Like gpc if this is correct do you have another solution? I put this line in the .htaccess file it didn't work either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't need it now but it'd be nice to know for the future dev. http://www.phpguru.org/article.php?ne_id=58 -- Richard Heyes +44 (0)844 801 1072 http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
On Thu, August 9, 2007 8:23 am, Bastien Koert wrote: you could use ini_set at the top of the script to turn the magic quotes off... No, you could not. Lonngg before ini_set is called, PHP has *already* applied the Magic Quotes feature and munged your data. :-) -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
It did work I was expecting a physical change in the form display as the form field values are set to stripslashes values. -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Thursday, August 09, 2007 12:20 AM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes runtime data means data that is coming out of your database at runtime as opposed to gpc data which means data from GET/POST/COOKIE It most certainly does NOT mean that you can't modify the data you have received in any way you choose. Can you clarify Didn't work at all. for us? Or, perhaps, see if what you think is happening is happening: ?php echo preBEFORE:\n; var_dump($_POST); echo /pre; if (ini_get('magic_quotes_gpc')){ echo ALTERINGbr /\n; $_POST['data'] = stripslashes($_POST['data']); echo preAFTER:\n; var_dump($_POST); echo /pre; } ? Because using stripslashes to un-do the evil effects of magic_quotes_gpc is pretty much a no-brainer... .htaccess might not work for a number of reasons, such as: You're not using Apache. .htaccess is turned off in your httpd.conf You didn't put .htaccess in the same directory as your PHP script On Wed, August 8, 2007 11:58 pm, k3cheese wrote: I added the code to my script and I still ended up escaped quotes. if(ini_get('magic_quotes_gpc')) $_POST['data'] = stripslashes($_POST['data']); Didn't work at all. I think I read something about it not working on runtime data. Like gpc if this is correct do you have another solution? I put this line in the .htaccess file it didn't work either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't need it now but it'd be nice to know for the future dev. Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 11:49 PM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes .htaccess is only meaningful for Apache. JavaScript is equally useless to Ajax for working around Magic Quotes. On Wed, August 8, 2007 7:55 am, k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 11:30 PM To: KVIGOR Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
you could use ini_set at the top of the script to turn the magic quotes off...if you add this in a prepend file or a common included file that sits at the top of the script, it should take care of the damn magic quotes... failing that ask your host to turn it off Bastien From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: php-general@lists.php.net Date: Wed, 8 Aug 2007 23:58:50 -0500 Subject: RE: [PHP] magic quotes I added the code to my script and I still ended up escaped quotes. if(ini_get('magic_quotes_gpc')) $_POST['data'] = stripslashes($_POST['data']); Didn't work at all. I think I read something about it not working on runtime data. Like gpc if this is correct do you have another solution? I put this line in the .htaccess file it didn't work either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't need it now but it'd be nice to know for the future dev. Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 11:49 PM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes .htaccess is only meaningful for Apache. JavaScript is equally useless to Ajax for working around Magic Quotes. On Wed, August 8, 2007 7:55 am, k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 11:30 PM To: KVIGOR Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PMNo virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
Re: [PHP] magic quotes
On 8/9/07, Bastien Koert [EMAIL PROTECTED] wrote: you could use ini_set at the top of the script to turn the magic quotes off...if you add this in a prepend file or a common included file that sits at the top of the script, it should take care of the damn magic quotes... Why might this not work? I tried using ini_set(magic_quotes_gpc, 0 | 0 | FALSE | FALSE ) and none of these worked either locally on my dev system or on a hosting system I just started using. PHP versions were either 5.2.0or 5.2.1. failing that ask your host to turn it off The guy graciously did turn it off when I asked him to. Bastien David
RE: [PHP] magic quotes
On 09 August 2007 14:44, David Giragosian wrote: On 8/9/07, Bastien Koert [EMAIL PROTECTED] wrote: you could use ini_set at the top of the script to turn the magic quotes off...if you add this in a prepend file or a common included file that sits at the top of the script, it should take care of the damn magic quotes... Why might this not work? Because, by the time your script starts executing, any magic_quotes_gpc processing has already been applied. As such, it only makes sense to set this option in php.ini, httpd.conf or .htaccess (or equivalents). Cheers! Mike - Mike Ford, Electronic Information Services Adviser, JG125, The Headingley Library, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 812 4730 Fax: +44 113 812 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 11:30 PM To: KVIGOR Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? htaccess files can do lots of things. http://httpd.apache.org/docs/2.2/howto/htaccess.html See also http://www.php.net/manual/en/ini.php#ini.list for what you can change and where you're allowed to change it (some values can only be changed in the php.ini or apache config for example). -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
Cool, That's very informative. You guys ROCK! -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 5:16 PM To: k3cheese Cc: [EMAIL PROTECTED]; php-general@lists.php.net Subject: Re: [PHP] magic quotes k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? htaccess files can do lots of things. http://httpd.apache.org/docs/2.2/howto/htaccess.html See also http://www.php.net/manual/en/ini.php#ini.list for what you can change and where you're allowed to change it (some values can only be changed in the php.ini or apache config for example). -- Postgresql php tutorials http://www.designmagick.com/ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
.htaccess is only meaningful for Apache. JavaScript is equally useless to Ajax for working around Magic Quotes. On Wed, August 8, 2007 7:55 am, k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 11:30 PM To: KVIGOR Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
I added the code to my script and I still ended up escaped quotes. if(ini_get('magic_quotes_gpc')) $_POST['data'] = stripslashes($_POST['data']); Didn't work at all. I think I read something about it not working on runtime data. Like gpc if this is correct do you have another solution? I put this line in the .htaccess file it didn't work either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't need it now but it'd be nice to know for the future dev. Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 11:49 PM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes .htaccess is only meaningful for Apache. JavaScript is equally useless to Ajax for working around Magic Quotes. On Wed, August 8, 2007 7:55 am, k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 11:30 PM To: KVIGOR Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
I have an example, how using js can instantly remove chars you type. If I don't want quotes in the form fields the code in loop removes them. What's your take on this? -Original Message- From: k3cheese [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 11:59 PM To: '[EMAIL PROTECTED]' Cc: 'php-general@lists.php.net' Subject: RE: [PHP] magic quotes I added the code to my script and I still ended up escaped quotes. if(ini_get('magic_quotes_gpc')) $_POST['data'] = stripslashes($_POST['data']); Didn't work at all. I think I read something about it not working on runtime data. Like gpc if this is correct do you have another solution? I put this line in the .htaccess file it didn't work either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't need it now but it'd be nice to know for the future dev. Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 11:49 PM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes .htaccess is only meaningful for Apache. JavaScript is equally useless to Ajax for working around Magic Quotes. On Wed, August 8, 2007 7:55 am, k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 11:30 PM To: KVIGOR Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
runtime data means data that is coming out of your database at runtime as opposed to gpc data which means data from GET/POST/COOKIE It most certainly does NOT mean that you can't modify the data you have received in any way you choose. Can you clarify Didn't work at all. for us? Or, perhaps, see if what you think is happening is happening: ?php echo preBEFORE:\n; var_dump($_POST); echo /pre; if (ini_get('magic_quotes_gpc')){ echo ALTERINGbr /\n; $_POST['data'] = stripslashes($_POST['data']); echo preAFTER:\n; var_dump($_POST); echo /pre; } ? Because using stripslashes to un-do the evil effects of magic_quotes_gpc is pretty much a no-brainer... .htaccess might not work for a number of reasons, such as: You're not using Apache. .htaccess is turned off in your httpd.conf You didn't put .htaccess in the same directory as your PHP script On Wed, August 8, 2007 11:58 pm, k3cheese wrote: I added the code to my script and I still ended up escaped quotes. if(ini_get('magic_quotes_gpc')) $_POST['data'] = stripslashes($_POST['data']); Didn't work at all. I think I read something about it not working on runtime data. Like gpc if this is correct do you have another solution? I put this line in the .htaccess file it didn't work either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't need it now but it'd be nice to know for the future dev. Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 11:49 PM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes .htaccess is only meaningful for Apache. JavaScript is equally useless to Ajax for working around Magic Quotes. On Wed, August 8, 2007 7:55 am, k3cheese wrote: Thanks, Met javascript not ajax. I had AJAX on the brain do to a project I'm working on. So I'm assuming there is a library of functions to use with the .htaccess file? Cause it looks like you can use UNIX and PHP to edit this file? Kevon K. Hayes 815-980-3435 RFD, IL -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 07, 2007 11:30 PM To: KVIGOR Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007 4:16 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
On Thu, August 9, 2007 12:01 am, k3cheese wrote: I have an example, how using js can instantly remove chars you type. If I don't want quotes in the form fields the code in loop removes them. What's your take on this? My take: Problem #1: It doesn't work very well for fields that actually should allow an apostrophe. Problem #2: Apostrophe is NOT the only character that magic_quotes affects. Problem #3: You can't rely on JavaScript sanitizing, because the Bad Guys aren't using a web browser; They are splatting whatever raw data they want directly at your script. Start reading here: http://phpsec.org Problem #4: You cannot guarantee JavaScript is enabled in my browser. In fact, you can guarantee that at least one user will have disabled JavaScript. Problem #5: It doesn't do diddly-squat for GET data nor for COOKIE data, only POST. Problem #6: There is no number 6. Problem #7: Magic Quotes was designed for the ASCII character set, and is downright dangerous to use for anything else (Unicode/UTF-8/etc). Avoiding the input of the apostrophes (and other characters) but still having Magic Quotes on means you're just spinning your wheels with PHP calling addslashes on POST data that you HOPE (but can't prove) doesn't have apostrophe and other characters in it, but this could completely screw up in Unicode/UTF-8 incoming data, and most likely leave you vulnerable. Unless, of course, you use mysql_real_escape_string like you are supposed to. Even then, the Unicode coming in will possibly/probably be whacked wrong by Magic Quotes sooner or later, so now if you want to support non-ASCII charsets, you probably can't, because Magic Quotes is munging the data before you get a chance to call mysql_real_escape_string on it to do the right thing. [Though maybe not, as maybe addslashes can't do any harm to Unicode if there's no ' nor \ to escape... You'd have to ask a Unicode geek. But they'd tell you to just turn off the Magic Quotes and be done with it anyway.] But that's just my take... :-v -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
Indeed. The Force is strong with this one...This Richard Lynch. Thanks for your insight. You are right magic quotes is indeed meddling with my vars before I can. OK, I better understand. I'll do more homework. I've already investigated the other link you advised and it's bookmarked. -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Thursday, August 09, 2007 12:29 AM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes On Thu, August 9, 2007 12:01 am, k3cheese wrote: I have an example, how using js can instantly remove chars you type. If I don't want quotes in the form fields the code in loop removes them. What's your take on this? My take: Problem #1: It doesn't work very well for fields that actually should allow an apostrophe. Problem #2: Apostrophe is NOT the only character that magic_quotes affects. Problem #3: You can't rely on JavaScript sanitizing, because the Bad Guys aren't using a web browser; They are splatting whatever raw data they want directly at your script. Start reading here: http://phpsec.org Problem #4: You cannot guarantee JavaScript is enabled in my browser. In fact, you can guarantee that at least one user will have disabled JavaScript. Problem #5: It doesn't do diddly-squat for GET data nor for COOKIE data, only POST. Problem #6: There is no number 6. Problem #7: Magic Quotes was designed for the ASCII character set, and is downright dangerous to use for anything else (Unicode/UTF-8/etc). Avoiding the input of the apostrophes (and other characters) but still having Magic Quotes on means you're just spinning your wheels with PHP calling addslashes on POST data that you HOPE (but can't prove) doesn't have apostrophe and other characters in it, but this could completely screw up in Unicode/UTF-8 incoming data, and most likely leave you vulnerable. Unless, of course, you use mysql_real_escape_string like you are supposed to. Even then, the Unicode coming in will possibly/probably be whacked wrong by Magic Quotes sooner or later, so now if you want to support non-ASCII charsets, you probably can't, because Magic Quotes is munging the data before you get a chance to call mysql_real_escape_string on it to do the right thing. [Though maybe not, as maybe addslashes can't do any harm to Unicode if there's no ' nor \ to escape... You'd have to ask a Unicode geek. But they'd tell you to just turn off the Magic Quotes and be done with it anyway.] But that's just my take... :-v -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
On Tue, July 31, 2007 9:28 am, KVIGOR wrote: If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? Best: Use .htaccess to turn magic_quotes off. Okay: Use something like if (ini_get('magic_quotes_gpc')) $data = stripslashes($data); Worst: Ajax cannot possibly begin to address this issue and is completely useless to solve this particular problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] magic quotes
If magic quotes is on and I dont have access to the php.ini. Is there any way I can strip quotes from the form field with out using AJAX? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] magic quotes
Hi all, I've been having a problem with a setting on a test server and production server. My test server has magic_quotes_gpc off, but the production server has it turned on. I've no access to the php.ini for the production server and don't want to change the setting on my test server. Searching on the internet, I found some ways to deal with this kind of thing: use a .htaccess file to turn magic_quotes off by saving a text file with the line: magic_quotes_gpc off Or making a function to strip slashes like this: if (magic_quote_gpc()) { stripslashes_array($_GET); stripslashes_array($_POST); stripslashes_array($_REQUEST); stripslashes_array($_COOKIE); } What do people on this list usually do with this kind of problem. To me, the .htaccess seems the easiest solution, since I don't have to change any scripts. cheers Phil P. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
What do people on this list usually do with this kind of problem. To me, the .htaccess seems the easiest solution, since I don't have to change any scripts. Use a .htaccess file, or if performance is any sort of concern, put it in the server configuration files and turn off .htaccess files. Failing that you could do it in the script with your stripslashes_array() function, but you should only do it when you need to. eg. There's no point using it on $_COOKIE if you're not using $_COOKIE. -- Richard Heyes +44 (0)844 801 1072 http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
Talking about .htaccess, anyone know an easy way of configuring os (generally linux/windows) alternative settings in the same .htaccess ? Mainly for paths (eg: include_path), so I can just upload a whole directory at a time from my (Windows) development machine to a (Linux) production server without having to worry about different .htaccess files for each. Ta Steve -Original Message- From: Richard Heyes [mailto:[EMAIL PROTECTED] Sent: 17 July 2007 12:25 To: Phil Princely Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes What do people on this list usually do with this kind of problem. To me, the .htaccess seems the easiest solution, since I don't have to change any scripts. Use a .htaccess file, or if performance is any sort of concern, put it in the server configuration files and turn off .htaccess files. Failing that you could do it in the script with your stripslashes_array() function, but you should only do it when you need to. eg. There's no point using it on $_COOKIE if you're not using $_COOKIE. -- Richard Heyes +44 (0)844 801 1072 http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Phil Princely wrote: What do people on this list usually do with this kind of problem. To me, the .htaccess seems the easiest solution, since I don't have to change any scripts. I would certainly turn it off in php.ini or apache config files if possible (the .htaccess line should be php_flag magic_quotes_gpc off by the way). However, if you end up doing it at runtime, then it's best to use Environment/magic_quotes_gpc_off.php in PHP_Compat. magic_quotes_gpc has been very inconsistent between PHP versions so a generic stripslashes_array() function is unwise. Arpad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Phil Princely wrote: thanks for all the help. My code was wrong in the first post, I just copied it straight from the web. This one works: if (get_magic_quotes_gpc()) { stripslashes_array($_GET); stripslashes_array($_POST); stripslashes_array($_REQUEST); stripslashes_array($_COOKIE); } set_magic_quotes_runtime(0); set_magic_quotes_runtime() has no effect on magic_quotes_gpc. function stripslashes_array($arr) { foreach (array_keys($arr) as $k) { $arr[$k] = stripslashes($arr[$k]); } } This function breaks arrays, ignores keys, and takes into account none of PHP's inconsistencies with magic_quotes_gpc. As I said before, if you need to do it at runtime, use the PHP_Compat code. Here's the two relevant files, if you can't use the PEAR installer: http://cvs.php.net/viewvc.cgi/pear/PHP_Compat/Compat/Environment/_magic_quotes_inputs.php?revision=1.3view=markup http://cvs.php.net/viewvc.cgi/pear/PHP_Compat/Compat/Environment/magic_quotes_gpc_off.php?revision=1.7view=markup I tried searching for setini, but came up with nothing, except this: setIni('magic_quotes_gpc', 'Off', $inifile); // didn't work: unknown function ini_set() is probably what you're thinking of, but magic_quotes_gpc is applied before your script is executed so it will have no effect. That's why the only option at runtime is to reverse it. Arpad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
On Tue, July 17, 2007 5:30 am, Phil Princely wrote: I've been having a problem with a setting on a test server and production server. My test server has magic_quotes_gpc off, but the production server has it turned on. I've no access to the php.ini for the production server and don't want to change the setting on my test server. Searching on the internet, I found some ways to deal with this kind of thing: use a .htaccess file to turn magic_quotes off by saving a text file with the line: magic_quotes_gpc off If you have .htaccess, do this, only use the right line which is more like: php_value magic_quotes_gpc off Or making a function to strip slashes like this: if (magic_quote_gpc()) { stripslashes_array($_GET); stripslashes_array($_POST); stripslashes_array($_REQUEST); stripslashes_array($_COOKIE); } What do people on this list usually do with this kind of problem. To me, the .htaccess seems the easiest solution, since I don't have to change any scripts. This is more useful if you have no .htaccess -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
E. One thing you CAN do is to put something not unlike this: ?php set_include_path(/production/server/path . PATH_SEPARATOR . C:\\dev\\path\\here); ? Your dev server will be slightly slower when it attempts to find the include files in a path that does not exist. Your production server will find the files where they belong and bail out before it tries to find a C drive that has no meaning. Crude, but effective. Or you could just install Linux on your dev box and dual boot, which is WAY easier. :-) On Tue, July 17, 2007 7:08 am, Steve Perkins wrote: Talking about .htaccess, anyone know an easy way of configuring os (generally linux/windows) alternative settings in the same .htaccess ? Mainly for paths (eg: include_path), so I can just upload a whole directory at a time from my (Windows) development machine to a (Linux) production server without having to worry about different .htaccess files for each. Ta Steve -Original Message- From: Richard Heyes [mailto:[EMAIL PROTECTED] Sent: 17 July 2007 12:25 To: Phil Princely Cc: php-general@lists.php.net Subject: Re: [PHP] magic quotes What do people on this list usually do with this kind of problem. To me, the .htaccess seems the easiest solution, since I don't have to change any scripts. Use a .htaccess file, or if performance is any sort of concern, put it in the server configuration files and turn off .htaccess files. Failing that you could do it in the script with your stripslashes_array() function, but you should only do it when you need to. eg. There's no point using it on $_COOKIE if you're not using $_COOKIE. -- Richard Heyes +44 (0)844 801 1072 http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes
I've got all three Magic Quote directives turned off... When I use sql query to grab any string from a database, it still spits out the \ in front of the special characters.. Any ideas? thanks
Re: [PHP] Magic Quotes
Liz Kim wrote: I've got all three Magic Quote directives turned off... When I use sql query to grab any string from a database, it still spits out the \ in front of the special characters.. Turning off magic quotes doesn't repair the data already in your database. It sounds like data has previously been inserted into the database after having been escaped twice. You can examine a few records and check whether this is the case. If this is what has happened, I suggest writing a simple utility to repair all of the data in the database (running stripslashes() should do the trick), then you won't have to worry about it again. Hope that helps. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes
On 2/23/07, Liz Kim [EMAIL PROTECTED] wrote: I've got all three Magic Quote directives turned off... When I use sql query to grab any string from a database, it still spits out the \ in front of the special characters.. Any ideas? thanks What's it look like in the database? David
Re: [PHP] Magic Quotes
On Fri, February 23, 2007 12:04 pm, Liz Kim wrote: I've got all three Magic Quote directives turned off... When I use sql query to grab any string from a database, it still spits out the \ in front of the special characters.. Here's one possible scenario: You *USED* to have Magic Quotes GPC on *AND* you were using an escape function such as addslashes or mysql_real_escape_string. So, in essence, you double escaped your data, and your database has BAD DATA in it. To explain double escaped... The whole point of this escaping business is to give the MySQL parser valid data to read in. Correct Escaping: ORIGINAL DATAESCAPED DATAMYSQL STORES O'Brien O\'BrienO'Brien Double Escaped: ORIGINAL DATADOUBLE ESCAPED DATA MYSQL STORES O'Brien O\\\'Brien O\'Brien Pretty much, if you ever used the function stripslashes you probably had double escaped data and never realized it. You've got a big mess on your hands, as the data stored by MySQL is not what it should be, and you'll have to find that data, stripslashes it once, and put it back in correctly, with just ONE escape mechanism (mysql_real_escape_string, ideally). About the only bright side is that calling stripslashes an extra time rarely, if ever, will cause a problem. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes good or Bad?
Angelo Zanetti wrote: Hi guys. ... So on my live server should I enable magic_quotes_gpc or should I use addslashes() and stripslashes()? Thanks in advance. In addition to all the other replies saying that magic quotes are evil which I completely agree with, it should also be noted that magic quotes has been removed from PHP 6. David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes good or Bad?
This one time, at band camp, Angelo Zanetti [EMAIL PROTECTED] wrote: should I enable magic_quotes_gpc or should I use addslashes() and stripslashes()? magic quotes is disabled by default these days, and does not make for portable code. It is removed in PHP6 Kevin -- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic quotes good or Bad?
Hi guys. I've just read an article that gives a good explanation about escaping single quote characters with slashes, the author then says that magic_quotes_gpc can do this for you if enabled on your server, he then he also mentions how if your magic_quotes_gpc are not turned on/enabled that you could use addslashes() with the same result and when retrieving info from the database that we need to use stripslashes(). All seems hunky dory but then he concludes that magic_quotes_gpc that they are evil as we have less control over the information we receive. Which does make sense. So should i avoid magic_quotes_gpc all together? my local development server has them enabled and when testing the input of a textfield that does a select query I input 'hello' (including single quotes) and it works really well with the single quotes escaped. But my live server has them disabled and therefore the single quotes break the SQL statement. So on my live server should I enable magic_quotes_gpc or should I use addslashes() and stripslashes()? Thanks in advance. -- Angelo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes good or Bad?
IMHO, it really depends on a couple of things... 1). how you use it and 2). How much control you want... If you have a single point of entry for database actions, like a class that mimics the database structure and handles updates, inserts, deletes, then it makes sense to turn them off to give you the control, as with the single point of entry you can easily add/strip slashes. But if your design allows for many points of entry it becomes problematic to make sure you are adding/stripping slashes in all the appropriate areas. So, I would say that magic_quotes is a tool, it has some limitations, but can also be helpful. So it really depends on the wielder of the tool if it should be used or not. -Brad Angelo Zanetti wrote: Hi guys. I've just read an article that gives a good explanation about escaping single quote characters with slashes, the author then says that magic_quotes_gpc can do this for you if enabled on your server, he then he also mentions how if your magic_quotes_gpc are not turned on/enabled that you could use addslashes() with the same result and when retrieving info from the database that we need to use stripslashes(). All seems hunky dory but then he concludes that magic_quotes_gpc that they are evil as we have less control over the information we receive. Which does make sense. So should i avoid magic_quotes_gpc all together? my local development server has them enabled and when testing the input of a textfield that does a select query I input 'hello' (including single quotes) and it works really well with the single quotes escaped. But my live server has them disabled and therefore the single quotes break the SQL statement. So on my live server should I enable magic_quotes_gpc or should I use addslashes() and stripslashes()? Thanks in advance. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes good or Bad?
Angelo Zanetti wrote: So should i avoid magic_quotes_gpc all together? In my opinion, yes. my local development server has them enabled and when testing the input of a textfield that does a select query I input 'hello' (including single quotes) and it works really well with the single quotes escaped. But my live server has them disabled and therefore the single quotes break the SQL statement. Your live application has an SQL injection vulnerability. This scenario is one of several reasons why magic_quotes_gpc does more to degrade security than promote it. By depending upon it, you have written code that is vulnerable to SQL injection. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes good or Bad?
At 2:37 PM -0800 4/5/06, Angelo Zanetti wrote: Hi guys. I've just read an article that gives a good explanation about escaping single quote characters with slashes, the author then says that magic_quotes_gpc can do this for you if enabled on your server, he then he also mentions how if your magic_quotes_gpc are not turned on/enabled that you could use addslashes() with the same result and when retrieving info from the database that we need to use stripslashes(). All seems hunky dory but then he concludes that magic_quotes_gpc that they are evil as we have less control over the information we receive. Which does make sense. So should i avoid magic_quotes_gpc all together? my local development server has them enabled and when testing the input of a textfield that does a select query I input 'hello' (including single quotes) and it works really well with the single quotes escaped. But my live server has them disabled and therefore the single quotes break the SQL statement. So on my live server should I enable magic_quotes_gpc or should I use addslashes() and stripslashes()? Thanks in advance. -- Angelo Angelo: Everything I've read and have been told says Magic quotes is Bad --- turn it off. I do it by placing a text file at root named .htaccess with the following php_value magic_quotes_gpc 0 php_value magic_quotes_sybase 0 php_value magic_quotes_runtime 0 I'm not sure as to other methods, but they're are other ways -- however, I'm not sure if this works for all. HTH's. tedd -- http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes good or Bad?
Angelo Zanetti wrote: Hi guys. I've just read an article that gives a good explanation about escaping single quote characters with slashes, the author then says that magic_quotes_gpc can do this for you if enabled on your server, he then he also mentions how if your magic_quotes_gpc are not turned on/enabled that you could use addslashes() with the same result and when retrieving info from the database that we need to use stripslashes(). The 'author' is an idiot All seems hunky dory but then he concludes that magic_quotes_gpc that they are evil as we have less control over the information we receive. Which does make sense. So should i avoid magic_quotes_gpc all together? Yes my local development server has them enabled and when testing the input of a textfield that does a select query I input 'hello' (including single quotes) and it works really well with the single quotes escaped. But my live server has them disabled and therefore the single quotes break the SQL statement. So on my live server should I enable magic_quotes_gpc or should I use addslashes() and stripslashes()? No. Disable magic_quotes on both boxes. If your db is MySQL, use mysql_real_escape_string(). Otherwise look into writing a routine that will escape the proper characters for your db. -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes good or Bad?
tedd wrote: I do it by placing a text file at root named .htaccess with the following php_value magic_quotes_gpc 0 php_value magic_quotes_sybase 0 php_value magic_quotes_runtime 0 Only works if your web server allows you to do this. In Apache the controlling option for this is: Directory /path/to/www AllowOverride All /Directory You should note in a virtual hosting environment, this is typically disabled. See http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride Regards, Peter Hoskin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes or Curley Quotes or Something
I recently upgraded my server. It is running Ubuntu Linux with PHP and MySQL. My site allows people to post content to their own web oages through a web interface. Many of my customers compose their content on a word processer and then cust and paste it to the web interface for insertion to the database and later retrevial and display on a web page. The problem I am having is that content which includes quotes is is not being seen correctly. Rather than inserting a slashed quote (/), it inserts a bunch of strange formatted gunk. A sample of the problem anc be seen at www.dallypost.com/ranch/page5688.php Thanks -- Lance Earl, President DallyPost, Inc. - Equine Marketing/Training/Shows Rockland, Idaho 208-548-2721 or 208-604-2721 [EMAIL PROTECTED] http://www.dallypost.com http://www.dallypost.com/ranch Horse Marketing - Clinics - Shows -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes or Curley Quotes or Something
Hello Lance-- On 8/5/05 2:18 PM, Lance Earl [EMAIL PROTECTED] wrote: I recently upgraded my server. It is running Ubuntu Linux with PHP and MySQL. My site allows people to post content to their own web oages through a web interface. Many of my customers compose their content on a word processer and then cust and paste it to the web interface for insertion to the database and later retrevial and display on a web page. The problem I am having is that content which includes quotes is is not being seen correctly. Rather than inserting a slashed quote (/), it inserts a bunch of strange formatted gunk. A sample of the problem anc be seen at www.dallypost.com/ranch/page5688.php You have an encoding problem--the content is being uploaded to your site using a different encoding mechanism (most likely utf-8) than the one you use to display it. I'm not much of an expert in this area, but a couple of suggestions: 1. You're already outputting UTF-8 code from the looks of it, so a simple Header (Content-type: text/html; charset=utf-8); Or even adding this to your HTML code in the HEAD: META HTTP-EQUIV=content-type CONTENT=text/html; charset=utf-8 Should do it. Remember to also use htmlentities ($data, null, utf-8); to properly encode the entities in your content. 2. Convert the text over from UTF-8 to ISO-8859-1. I think you can use utf8_decode, or you may have to go with the mbstring extension (not too sure here, I'd just go ahead and convert everything over to UTF-8). I'm sure some other people who have more experience with this stuff can give you even more pointers, but this should get you started. Cheers, Marco -- BeebleX - The PHP Search Engine http://beeblex.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes or Curley Quotes or Something
Lance Earl wrote: I recently upgraded my server. It is running Ubuntu Linux with PHP and MySQL. My site allows people to post content to their own web oages through a web interface. Many of my customers compose their content on a word processer and then cust and paste it to the web interface for insertion to the database and later retrevial and display on a web page. The problem I am having is that content which includes quotes is is not being seen correctly. Rather than inserting a slashed quote (/), it I don't think it's the root of your problem but I think you mean an espaced quote - i.e. one that been 'backslashed' - \ inserts a bunch of strange formatted gunk. A sample of the problem anc be seen at www.dallypost.com/ranch/page5688.php Marco seems to be right about the encoding - but I can;t admit to even knowing half as much as him about that topic (make me dizzy everytime!) so I won't attempt to thicken the plot sp to speak. g'luck Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes or Curley Quotes or Something
Hi Marco, Thanks for the help, you gave me a place to start. Before doing what would amount to a lot of coding to correct this problem throughout my site I wanted to see if it could be corrected on the server side. I found the following section in the php.ini file: ; As of 4.0b4, PHP always outputs a character encoding by default in ; the Content-type: header. To disable sending of the charset, simply ; set it to be empty. ; ; PHP's built-in default is text/html default_mimetype = text/html default_charset = utf-8 ;default_charset = iso-8859-1 In the default file the iso-8859-1 line was commented out so I uncommented it to see it that would help. It changed the unreadable goop to another type of unreadable goop but the problem remained. I then recommented the iso-8859-1 line and added the utf-8 line. This changed the output back to what I had before. My thinking is that since my code worked under the older version of php, it should also work under the newer version if I can configure it correctly. Thanks, Lance Hello Lance-- On 8/5/05 2:18 PM, Lance Earl [EMAIL PROTECTED] wrote: I recently upgraded my server. It is running Ubuntu Linux with PHP and MySQL. My site allows people to post content to their own web oages through a web interface. Many of my customers compose their content on a word processer and then cust and paste it to the web interface for insertion to the database and later retrevial and display on a web page. The problem I am having is that content which includes quotes is is not being seen correctly. Rather than inserting a slashed quote (/), it inserts a bunch of strange formatted gunk. A sample of the problem anc be seen at www.dallypost.com/ranch/page5688.php You have an encoding problem--the content is being uploaded to your site using a different encoding mechanism (most likely utf-8) than the one you use to display it. I'm not much of an expert in this area, but a couple of suggestions: 1. You're already outputting UTF-8 code from the looks of it, so a simple Header (Content-type: text/html; charset=utf-8); Or even adding this to your HTML code in the HEAD: META HTTP-EQUIV=content-type CONTENT=text/html; charset=utf-8 Should do it. Remember to also use htmlentities ($data, null, utf-8); to properly encode the entities in your content. 2. Convert the text over from UTF-8 to ISO-8859-1. I think you can use utf8_decode, or you may have to go with the mbstring extension (not too sure here, I'd just go ahead and convert everything over to UTF-8). I'm sure some other people who have more experience with this stuff can give you even more pointers, but this should get you started. Cheers, Marco -- BeebleX - The PHP Search Engine http://beeblex.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Lance Earl, President DallyPost, Inc. - Equine Marketing/Training/Shows Rockland, Idaho 208-548-2721 or 208-604-2721 [EMAIL PROTECTED] http://www.dallypost.com http://www.dallypost.com/ranch Horse Marketing - Clinics - Shows -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes
Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
Re: [PHP] Magic Quotes
Ben Edwards (lists) wrote: Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. you get the gist of it bare in mind _many_ people including actual php developers avoid magic_quotes like the plague cos its a PITA. basically your input to the DB should be properly escaped (there are special functions for this also, depending on your DB, I use alot of firebird and its capable of parameterized queries - making it impossible to do SQL injection if you use the parameterized markup). AND anything you output to the browser should be sanitized properly as well... goto phpsc.net and read everything there - its a good/solid introduction to writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris Shiflett - a veritable goldmine of php related knowledge do yourself a favor... read his stuff :-) any questions that arise from reading that are welcome here :-) There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? htmlentities() Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes
Jochem Maas wrote: Ben Edwards (lists) wrote: Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. you get the gist of it bare in mind _many_ people including actual php developers avoid magic_quotes like the plague cos its a PITA. basically your input to the DB should be properly escaped (there are special functions for this also, depending on your DB, I use alot of firebird and its capable of parameterized queries - making it impossible to do SQL injection if you use the parameterized markup). AND anything you output to the browser should be sanitized properly as well... goto phpsc.net and read everything there - its a good/solid introduction to writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris Shiflett - a veritable goldmine of php related knowledge do yourself a favor... read his stuff :-) any questions that arise from reading that are welcome here :-) There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? htmlentities() Ben http://phpsec.org/ it should be ;-) cheers, Jeffery -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes
On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote: Ben Edwards (lists) wrote: Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. you get the gist of it bare in mind _many_ people including actual php developers avoid magic_quotes like the plague cos its a PITA. Yes, it seems like they were invented by the Powers of Darkness ;). I think I am going to put stuff in my common code that is run on at the beginning of every page to remove magic quotes from $_REQUEST, and run all data being put into the database through addslashes first. I can see it is only any to trivial pages where you are taking user input and putting it stright into the database with out validation or re-displaying it. There for it is useless. Regards, Ben basically your input to the DB should be properly escaped (there are special functions for this also, depending on your DB, I use alot of firebird and its capable of parameterized queries - making it impossible to do SQL injection if you use the parameterized markup). AND anything you output to the browser should be sanitized properly as well... goto phpsc.net and read everything there - its a good/solid introduction to writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris Shiflett - a veritable goldmine of php related knowledge do yourself a favor... read his stuff :-) any questions that arise from reading that are welcome here :-) There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? htmlentities() Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
Re: [PHP] Magic Quotes
On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote: Ben Edwards (lists) wrote: PS phpsc.net seems to be down, or is the domain wrong? er yes, oops. as Jeffery pointed out it should have been phpsec.org. had a brainfreeze sorry. OK, trying to do a function to remove magic quotes from the post variable. Something like:- function remove_magic_quotes( $array ) { foreach( $array as $index = $value ) { if ( is_array( $array[$index] ) ) { remove_magic_quotes( $array[$index] ); } else { if ( magic_quotes_runtime() ){ $array[$index] = stripslashes( $value ); } } } But not quite there. Any ideas? Ben Ben On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote: Ben Edwards (lists) wrote: Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. you get the gist of it bare in mind _many_ people including actual php developers avoid magic_quotes like the plague cos its a PITA. basically your input to the DB should be properly escaped (there are special functions for this also, depending on your DB, I use alot of firebird and its capable of parameterized queries - making it impossible to do SQL injection if you use the parameterized markup). AND anything you output to the browser should be sanitized properly as well... goto phpsc.net and read everything there - its a good/solid introduction to writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris Shiflett - a veritable goldmine of php related knowledge do yourself a favor... read his stuff :-) any questions that arise from reading that are welcome here :-) There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? htmlentities() Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
Re: [PHP] Magic Quotes
Ben Edwards (lists) wrote: On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote: Ben Edwards (lists) wrote: PS phpsc.net seems to be down, or is the domain wrong? er yes, oops. as Jeffery pointed out it should have been phpsec.org. had a brainfreeze sorry. OK, trying to do a function to remove magic quotes from the post variable. Something like:- function remove_magic_quotes( $array ) { foreach( $array as $index = $value ) { if ( is_array( $array[$index] ) ) { remove_magic_quotes( $array[$index] ); } else { if ( magic_quotes_runtime() ){ $array[$index] = stripslashes( $value ); there is a missing closing brace here. also the test for magic_quotes_runtime() is better of outside the loop... no point in recursing if magic_quotes_runtime() returns false. also you might want to use a return val instead of pass-by-reference. also adding this to a .htaccess file in the root dir of your app might be easier: php_value magic_quotes_runtime 0 } } } But not quite there. Any ideas? Ben Ben On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote: Ben Edwards (lists) wrote: Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. you get the gist of it bare in mind _many_ people including actual php developers avoid magic_quotes like the plague cos its a PITA. basically your input to the DB should be properly escaped (there are special functions for this also, depending on your DB, I use alot of firebird and its capable of parameterized queries - making it impossible to do SQL injection if you use the parameterized markup). AND anything you output to the browser should be sanitized properly as well... goto phpsc.net and read everything there - its a good/solid introduction to writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris Shiflett - a veritable goldmine of php related knowledge do yourself a favor... read his stuff :-) any questions that arise from reading that are welcome here :-) There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? htmlentities() Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes Removal code - almost there
The following code is passed $_POST to clean magic quotes code out ;_ function remove_magic_quotes( $array ) { foreach( $array as $index = $value ) { if ( is_array( $array[$index] ) ) { remove_magic_quotes( $array[$index] ); } else { if ( magic_quotes_runtime() ){ echo removing slashes $valuebr /; $array[$index] = stripslashes( $value ); } } } } The cleaning works but magic_quotes_runtime is false even if magic codes are on, any ideas? Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
Re: [PHP] Magic Quotes
Ben Edwards (lists) wrote: Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. To be pedantic, I'll add to this thread and point out that Magic Quotes also affects GET data. Oooh, and COOKIES too, almost for sure, though I never put anything in a Cookie that needs quotes, so I'm not 100% sure on that. Magic Quotes was part of the original PHP, I think, or at least real early on, back when the Internet had a lot less vandals. I daresay validation in those days was more about being nice to the user and having Good Data than self-defense. [Sigh.] When I was your age... :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes Removal code - almost there
On Thursday 10 February 2005 23:36, Ben Edwards (lists) wrote: The cleaning works but magic_quotes_runtime is false even if magic codes are on, any ideas? There are at least two magic_quotes_* settings, make sure you are referring to the correct one(s). -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question (still driving me mad)
On Wed, 26 Jan 2005 13:07:34 -0800 (PST), Richard Lynch [EMAIL PROTECTED] wrote: Ben Edwards wrote: On Tue, 25 Jan 2005 17:02:21 -0800, Chris [EMAIL PROTECTED] wrote: You should probably use get_magic_quotes_runtime() , as _gpc only applies to GET/POST/COOKIE, htmlspecialchars is needed so the HTML can be parsed properly: So this is this only done to stuff that is to be displayed on a web page? What happens if it is done to stuff that is (possibly) also passed through addslashes and written to the database. Don't do it. Don't worry, I wont. Databases are for data. I would'nt dream of polluting them with HTML;) What if tomorrow you decide you need to output a PDF as well as your HTML from that same data -- You've got all those funky htmlspecialchars() in your database that have NOTHING to do with your data. They are only needed for the HTML presentation of your data. Seperation of data and presentation and logic, precisely. Ben For example, I have a web-site where we have had an on-line calendar for ages. A few years ago, I found out the client was re-typing all his calendar items (a hundred a month) into three different software packages, just so he could get a print-out for flyers/handouts of his calendar of events. Silly client. Now his web-site provides him with a PDF of his calendar with a single click, instead of 4 hours of drudge-work every month copying data from A to B by hand. There ain't no htmlspecialchars() in the database, thank [deity], or I'd have to un-do that just to make the PDF. Ugh! -- Like Music? http://l-i-e.com/artists.htm -- Ben Edwards - Poole, UK, England WARNING:This email contained partisan views - dont ever accuse me of using the veneer of objectivity If you have a problem emailing me use http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question (still driving me mad)
On Tue, 25 Jan 2005 17:02:21 -0800, Chris [EMAIL PROTECTED] wrote: You should probably use get_magic_quotes_runtime() , as _gpc only applies to GET/POST/COOKIE, htmlspecialchars is needed so the HTML can be parsed properly: So this is this only done to stuff that is to be displayed on a web page? What happens if it is done to stuff that is (possibly) also passed through addslashes and written to the database. Also douse it matter what order htmlspecialcharacters/addslashes??? However this is the least of my problems, I still dont have the main magic quotes thing working. So I will detail what I am doing and c if anyone can help. Everything that comes from the database (regardless of what is done to it next) is passed through the following function. function unprep( $text ) { // Take data coming from the database an get it ready to be presented // to the user. if ( get_magic_quotes_gpc() ){ $result = stripslashes($text); } else{ $result = $text; } $result = htmlspecialchars( $result ); return $result; } This is done regardless of what is to be done to the data by using foreach on the row that is returned. foreach( $this-record as $index = $value ) { $this-record[$index] = unprep( $value ); } And before anything is written to the database it goes through the following function. function prep( $text ) { if ( get_magic_quotes_gpc() ) { return $text; } else { return addslashes($text); } } But I am still getting the \', \\' thing happening. One of my problems is I am not sure at how to reliably look at the data at various stages. If I do echo $value and it has \' in it is '\ displayed or or is ' displayed. I.e. is it only in the input type=text tag that the \' shows up. Thanks for every body's help, hope I am nearly there;) Ben if the value in the text box was something like: Hello World! when you go to put in the value attribute it would end up: input type=text value= Hello World! / That would not parse correctly. but if you escaped it with htmlspecialchars or htmlentities you'd get: input type=text value=quot;gt; Hello World! / And the box would contain the proper data Ben Edwards wrote: PS. How does htmlspecialchars fit into this. The unprep function is to prepare date coming from the database to be used in input type=text, douse the below function make sence? Ben function unprep( $text ) { // Take data coming from the database an get it ready to be presented // to the user. if (magic_quotes_gpc()){ $result = stripslashes($text); } else{ $result = $text; } return htmlspecialchars( $result ); } -- Ben Edwards - Poole, UK, England WARNING:This email contained partisan views - dont ever accuse me of using the veneer of objectivity If you have a problem emailing me use http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Ben Edwards - Poole, UK, England WARNING:This email contained partisan views - dont ever accuse me of using the veneer of objectivity If you have a problem emailing me use http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Magic quotes question (still driving me mad)
To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -Original Message- From: Ben Edwards [mailto:[EMAIL PROTECTED] Sent: 26 January 2005 10:15 On Tue, 25 Jan 2005 17:02:21 -0800, Chris [EMAIL PROTECTED] wrote: You should probably use get_magic_quotes_runtime() , as _gpc only applies to GET/POST/COOKIE, htmlspecialchars is needed so the HTML can be parsed properly: So this is this only done to stuff that is to be displayed on a web page? What happens if it is done to stuff that is (possibly) also passed through addslashes and written to the database. You get HTML entities in your database. This may not matter if all you do is use your database to make Web pages, but it's generally regarded as better form to store the text in clear in the database and convert it to the appropriate format for display at the time you want to display it. Also douse it matter what order htmlspecialcharacters/addslashes??? Yes. htmlspecialchars(addslashes('')) = \quot; addslashes(htmlspecialchars('')) = quot; Everything that comes from the database (regardless of what is done to it next) is passed through the following function. function unprep( $text ) { // Take data coming from the database an get it ready to be presented // to the user. if ( get_magic_quotes_gpc() ){ This should be magic_quotes_runtime(), since you are dealing with data obtained from the database at run time, not data passed via Get, Post or Cookie. $result = stripslashes($text); } else{ $result = $text; } $result = htmlspecialchars( $result ); return $result; } And before anything is written to the database it goes through the following function. function prep( $text ) { if ( get_magic_quotes_gpc() ) { return $text; } else { return addslashes($text); } } That one looks good to go, assuming your database uses \ as an escaping character. But I am still getting the \', \\' thing happening. One of my problems is I am not sure at how to reliably look at the data at various stages. If I do echo $value and it has \' in it is '\ displayed or or is ' displayed. If you echo a value that really does contain \', you will get \' displayed. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question (still driving me mad)
Ben Edwards wrote: On Tue, 25 Jan 2005 17:02:21 -0800, Chris [EMAIL PROTECTED] wrote: You should probably use get_magic_quotes_runtime() , as _gpc only applies to GET/POST/COOKIE, htmlspecialchars is needed so the HTML can be parsed properly: So this is this only done to stuff that is to be displayed on a web page? What happens if it is done to stuff that is (possibly) also passed through addslashes and written to the database. Don't do it. What if tomorrow you decide you need to output a PDF as well as your HTML from that same data -- You've got all those funky htmlspecialchars() in your database that have NOTHING to do with your data. They are only needed for the HTML presentation of your data. For example, I have a web-site where we have had an on-line calendar for ages. A few years ago, I found out the client was re-typing all his calendar items (a hundred a month) into three different software packages, just so he could get a print-out for flyers/handouts of his calendar of events. Silly client. Now his web-site provides him with a PDF of his calendar with a single click, instead of 4 hours of drudge-work every month copying data from A to B by hand. There ain't no htmlspecialchars() in the database, thank [deity], or I'd have to un-do that just to make the PDF. Ugh! -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic quotes question
In the php manual it states ' Keep in mind that the setting magic_quotes_gpc will not work at runtime.' What douse this actualy mean? Ben -- Ben Edwards - Poole, UK, England WARNING:This email contained partisan views - dont ever accuse me of using the veneer of objectivity If you have a problem emailing me use http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question
It means that you can't set that setting inside a script with ini_set. Since the earliest opportunity to set it in a script would be after it would have already done it's job, it won't work. You must set it before the script runs. Chris Ben Edwards wrote: In the php manual it states ' Keep in mind that the setting magic_quotes_gpc will not work at runtime.' What douse this actualy mean? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question
Ben Edwards wrote: In the php manual it states ' Keep in mind that the setting magic_quotes_gpc will not work at runtime.' What douse this actualy mean? Translation: If you try to use ini_set to change magic_quotes_gps in your .php script, here's what happens: Step 1: Apache/PHP set up $_POST/$_GET/$_COOKIES based on php.ini setting of magic_quotes_gpc Step 2: Your script runs Step 3: Your script calls ini_set('magic_quotes_gpc', ???); As you can imagine, it really doesn't do much good at that point to change this setting, since all the work of loading in POST/GET/COOKIES is already done. Now, if you worked hard, you could maybe find a way to change the setting, and then you could re-parse the GET arguments and the POST data (assuming you configured settings to provide raw POST data) and maybe even (somehow) manage to re-interpret the cookies... Or you could just live with the current setting and use stripslashes() or addslashes() as needed to get the data in the form you want which would be a zillion times easier. So while you maybe *CAN* change magic_quotes_gpc at run-time with ini_set, there ain't a whole lot of point to it, unless you've got a ton of data you are re-parsing from somewhere else that relies on that setting. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question
I'm not quite sure I understand you... The theory behind that function looks sound, but are you meaning to return the value or pass it by reference and modify it? Chris Ben Edwards wrote: OK. This is really confusing me. I am using the following function to handle this: function prep( $text ) { echo get_magic_quotes_gpc(). ; if (get_magic_quotes_gpc()) { echo mq on for $text; return $text; } else { echo mq off; return addslashes($text); } } And it is not doing the assslashes but stuff like \'s is still being added. wonce savein a few times I get \'. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question
OK. This is really confusing me. I am using the following function to handle this: function prep( $text ) { echo get_magic_quotes_gpc(). ; if (get_magic_quotes_gpc()) { echo mq on for $text; return $text; } else { echo mq off; return addslashes($text); } } And it is not doing the assslashes but stuff like \'s is still being added. wonce savein a few times I get \'. Ben On Tue, 25 Jan 2005 10:39:30 -0800, Chris [EMAIL PROTECTED] wrote: It means that you can't set that setting inside a script with ini_set. Since the earliest opportunity to set it in a script would be after it would have already done it's job, it won't work. You must set it before the script runs. Chris Ben Edwards wrote: In the php manual it states ' Keep in mind that the setting magic_quotes_gpc will not work at runtime.' What douse this actualy mean? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Ben Edwards - Poole, UK, England WARNING:This email contained partisan views - dont ever accuse me of using the veneer of objectivity If you have a problem emailing me use http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question
Ben Edwards wrote: OK. This is really confusing me. I am using the following function to handle this: function prep( $text ) { echo get_magic_quotes_gpc(). ; if (get_magic_quotes_gpc()) { echo mq on for $text; return $text; } else { echo mq off; return addslashes($text); } } And it is not doing the assslashes but stuff like \'s is still being added. wonce savein a few times I get \'. Sounds to me like magic_quotes_gpc is ON That means EVERY value coming in from GET, POST, or COOKIES automatically has addslashes() called on it. That presumes that you mostly want to take GET/POST/COOKIE data and shove it into a database. For those times when you are *NOT* shoving the data into a database, you need to use http://php.net/stripslashes to undo the magic quotes' addslashes. For example, when re-displaying user input on a FORM after an error, or to confirm their input, you will need to call http://php.net/stripslashes on EVERY field you send back to the browser. On the plus side, you do *NOT* need to call http://php.net/addslashes on EVERY chunk of data you send to the database, because magic_quotes already did that for you. That's kinda the whole purpose of magic_quotes: Assume that 99% of what you do is take data in and shove it into your database, so always call addslashes() on it before you see it, so it's already done by magic Magic Quotes should be called Auto Addslashes really. Does that help explain what's going on? What you might need, then, is a function to send INPUT data to the browser: function maybe_stripslashes($input){ if (magic_quotes_gpc()){ $result = stripslashes($input); } else{ $result = $input; } return $result; } -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question
PS. How does htmlspecialchars fit into this. The unprep function is to prepare date coming from the database to be used in input type=text, douse the below function make sence? Ben function unprep( $text ) { // Take data coming from the database an get it ready to be presented // to the user. if (magic_quotes_gpc()){ $result = stripslashes($text); } else{ $result = $text; } return htmlspecialchars( $result ); } -- Ben Edwards - Poole, UK, England WARNING:This email contained partisan views - dont ever accuse me of using the veneer of objectivity If you have a problem emailing me use http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic quotes question
You should probably use get_magic_quotes_runtime() , as _gpc only applies to GET/POST/COOKIE, htmlspecialchars is needed so the HTML can be parsed properly: if the value in the text box was something like: Hello World! when you go to put in the value attribute it would end up: input type=text value= Hello World! / That would not parse correctly. but if you escaped it with htmlspecialchars or htmlentities you'd get: input type=text value=quot;gt; Hello World! / And the box would contain the proper data Ben Edwards wrote: PS. How does htmlspecialchars fit into this. The unprep function is to prepare date coming from the database to be used in input type=text, douse the below function make sence? Ben function unprep( $text ) { // Take data coming from the database an get it ready to be presented // to the user. if (magic_quotes_gpc()){ $result = stripslashes($text); } else{ $result = $text; } return htmlspecialchars( $result ); } -- Ben Edwards - Poole, UK, England WARNING:This email contained partisan views - dont ever accuse me of using the veneer of objectivity If you have a problem emailing me use http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Magic Quotes Issue
Shaun wrote: function db_query($query) { if(!magic_quotes_gpc()){ $qid = mysql_query(addslashes($query)); } else { $qid = mysql_query($query); } return $qid; } But this adds too many slashes! Has anyone come to a better solution regarding this? I believe you should be performing this on each data item individually, not the entire SQL statement. I presume it's escaping the quotes you're using to quote the strings in your SQL. Anyone know of a better was of doing this? We have to run our code on a variety of public servers, some with magic quotes and some more enlightened servers without. Might be nice to have a mq_addslashes function. Or I could write one myself of course... Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes Issue
Hi, I have been investigating the problem of apostrphes in a mysql insert / update. I use a db_query function for all my queries: function db_query($query) { $qid = mysql_query($query); return $qid; } It appears after some research that the best way around the problem is to check whether magic_qoutes_gpc is off and if so use addslashes(). I have altered the function to this: function db_query($query) { if(!magic_quotes_gpc()){ $qid = mysql_query(addslashes($query)); } else { $qid = mysql_query($query); } return $qid; } But this adds too many slashes! Has anyone come to a better solution regarding this? Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes Issue
Try $string = mysql_real_escape_string($string); On 7 Dec 2004, at 14:12, Shaun wrote: Hi, I have been investigating the problem of apostrphes in a mysql insert / update. I use a db_query function for all my queries: function db_query($query) { $qid = mysql_query($query); return $qid; } It appears after some research that the best way around the problem is to check whether magic_qoutes_gpc is off and if so use addslashes(). I have altered the function to this: function db_query($query) { if(!magic_quotes_gpc()){ $qid = mysql_query(addslashes($query)); } else { $qid = mysql_query($query); } return $qid; } But this adds too many slashes! Has anyone come to a better solution regarding this? Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes Issue
Shaun wrote: function db_query($query) { if(!magic_quotes_gpc()){ $qid = mysql_query(addslashes($query)); } else { $qid = mysql_query($query); } return $qid; } But this adds too many slashes! Has anyone come to a better solution regarding this? Can you give us some examples of your input data, and what you think is too many slashes?... Because if the above isn't doing what you want, then something is very wrong somewhere else. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re:[PHP] Magic-quotes
Jeff McKeon wrote: So now the big question which will undoubtly spark a lot of opinions (I hope). We use apache/php/mysql based sites for internal management of our systems and would now like to give our customers direct access to manage their accounts via the web. Naturally this raises security concerns. From the PHP perspective, is Apache/PHP(as Module)/MySQL a secure enough platform to use for a public website that will access a production database? Opinions? Thoughts? Let me re-phrase your question: We normally do inside Sales and B2B Sales. We're about to open a StoreFront. Is that secure enough? :-) One useful tidbit, however: If you have a bunch of tables/data in MySQL that do *NOT* need to be publicly accessible, consider setting up a replication setup where only *some* of the tables are on the public site. That, however, is an all-MySQL issue. http://mysql.com -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic-quotes
Does having magic-quotes=on prevent an attacker from using a urlized sql inject query? Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic-quotes
On Mon, 2004-12-06 at 12:57, Jeff McKeon wrote: Does having magic-quotes=on prevent an attacker from using a urlized sql inject query? Somewhat, but I think magic_quotes=off is the preferred style since magic quotes are a big headache for portability. At any rate, understanding what you are doing and acting accordingly will provide you with better security. There is no magic pill for security. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Magic-quotes
-Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 1:45 PM To: Jeff McKeon Cc: PHP-General Subject: Re: [PHP] Magic-quotes On Mon, 2004-12-06 at 12:57, Jeff McKeon wrote: Does having magic-quotes=on prevent an attacker from using a urlized sql inject query? Somewhat, but I think magic_quotes=off is the preferred style since magic quotes are a big headache for portability. At any rate, understanding what you are doing and acting accordingly will provide you with better security. There is no magic pill for security. Cheers, Rob. Portability is not an objective here per say. I'm aware of many of the security issues surrounding PHP, just trying to understand the specifics of each one so that I can weigh the plus/minus of it to my needs. Assuming I have no portability needs and have magic_quotes=on, can you elaborate on somewhat? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic-quotes
Jeff McKeon wrote: Does having magic-quotes=on prevent an attacker from using a urlized sql inject query? Not likely. Magic Quotes is a convenience feature, not a security feature. Magic Quotes is oft-understood, even by journeymen PHP programmers. Magic Quotes takes all incoming POST/GET data and calls http://php.net/addslashes on it before you see it. The assumption is that MOST of the POST/GET data you are getting, you want to put into your database. The downside is that if you are doing something with that data other than putting it in a database (EG: re-displaying it to the user, or logging it in a file, or...) you'll need to call http://php.net/stripslashes on it, to undo the Magic Quotes. If *MOST* of your incoming POST/GET data isn't actually going into a database, turn Magic Quotes off. If you want portable code, write a function to check Magic Quotes on/off, and call addslashes only if it's off. The thing that always kills me is when programmers call stripslashes on data that comes *OUT* of MySQL. No, no, no, no. Whatever it is you did, or think you are doing, or think you are fixing, that's WRONG. Maybe you called addslashes twice, once with Magic Quotes, and once by hand and that's how the data in the database got screwed up. Or maybe you just don't understand WHY addslashes does what it does. But calling stripslashes on data coming OUT of MySQL is WRONG. MySQL eats the 'extra' apostrophes when the data comes 'in' through your SQL statement. There are no apostrophes to strip after the data was been sucked into MySQL. If there *are* apostrophes you don't want in that data, you screwed up already getting the data in there. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Magic-quotes
On Mon, 2004-12-06 at 13:47, Jeff McKeon wrote: Assuming I have no portability needs and have magic_quotes=on, can you elaborate on somewhat? Somewhat... till someone comes along and changes your php.ini, or you transfer your code to another server and forget to enable magic quotes. At which time everything is open to the sky. More secure to have it disabled and then accidentally have it enabled and have double quoting taking place :) IMHO magic quotes are right up there with register globals in the nice idea but not in practice features. It's a prime example of where protecting newbies from themselves makes everything more painful in the long run. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic quotes
Hi, If I have an sql interogation, for example: $sql = SELECT id, name FROM shop WHERE cat_id = $cat_id ; For my server doesn't work...only if i put ... cat_id = '$cat_id' I think i haven't set up apache.. What is the problem? Thanks
Re: [PHP] Magic-quotes
* Richard Lynch [EMAIL PROTECTED]: Jeff McKeon wrote: Does having magic-quotes=on prevent an attacker from using a urlized sql inject query? Not likely. Magic Quotes is a convenience feature, not a security feature. Magic Quotes is oft-understood, even by journeymen PHP programmers. oft-MISunderstood... ;-) Magic Quotes takes all incoming POST/GET data and calls http://php.net/addslashes on it before you see it. snip The thing that always kills me is when programmers call stripslashes on data that comes *OUT* of MySQL. No, no, no, no. Whatever it is you did, or think you are doing, or think you are fixing, that's WRONG. Maybe you called addslashes twice, once with Magic Quotes, and once by hand and that's how the data in the database got screwed up. Or maybe you just don't understand WHY addslashes does what it does. But calling stripslashes on data coming OUT of MySQL is WRONG. Umm... I hate to disagree with you, but this depends entirely on your server settings. It is only wrong if you have magic_quotes_runtime set to off. If magic_quotes_runtime is ON, then, as the manual says, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. In other words, if magic_quotes_runtime is ON, you *will* need to run stripslashes on data returned from your database if you don't want quotes escaped with a backslash. -- Matthew Weier O'Phinney | mailto:[EMAIL PROTECTED] Webmaster and IT Specialist | http://www.garden.org National Gardening Association| http://www.kidsgardening.com 802-863-5251 x156 | http://nationalgardenmonth.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic-quotes
The thing that always kills me is when programmers call stripslashes on data that comes *OUT* of MySQL. No, no, no, no. Whatever it is you did, or think you are doing, or think you are fixing, that's WRONG. Maybe you called addslashes twice, once with Magic Quotes, and once by hand and that's how the data in the database got screwed up. Or maybe you just don't understand WHY addslashes does what it does. But calling stripslashes on data coming OUT of MySQL is WRONG. Umm... I hate to disagree with you, but this depends entirely on your server settings. It is only wrong if you have magic_quotes_runtime set to off. If magic_quotes_runtime is ON, then, as the manual says, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. In other words, if magic_quotes_runtime is ON, you *will* need to run stripslashes on data returned from your database if you don't want quotes escaped with a backslash. You're right, of course. I should have explicitly stated that this only applied to the zillions who have Magic Quotes on, call addslashes before putting data into the database, then have extra slashes in the database, then call stripslashes when they get data out of the database. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re:[PHP] Magic-quotes
So now the big question which will undoubtly spark a lot of opinions (I hope). We use apache/php/mysql based sites for internal management of our systems and would now like to give our customers direct access to manage their accounts via the web. Naturally this raises security concerns. From the PHP perspective, is Apache/PHP(as Module)/MySQL a secure enough platform to use for a public website that will access a production database? Opinions? Thoughts? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re:[PHP] Magic-quotes
On Mon, 2004-12-06 at 16:22, Jeff McKeon wrote: So now the big question which will undoubtly spark a lot of opinions (I hope). We use apache/php/mysql based sites for internal management of our systems and would now like to give our customers direct access to manage their accounts via the web. Naturally this raises security concerns. From the PHP perspective, is Apache/PHP(as Module)/MySQL a secure enough platform to use for a public website that will access a production database? Opinions? Thoughts? This is pretty much a separate topic and so really belongs in a separate thread, but since I'm making this point I may as well answer anyways :) Absolutely. Security while somewhat linked to the language, is more a question of the developer's experience and ability. The Apache/PHP (as Module or CGI)/MySQL solution is used in millions of websites, of which I'm sure a large portion are public access. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes
I've continued plowing my way thru the 2nd edition of PHP and MySQL Web Development by Welling and Thomson. I've made it to chapter 24, where I've just read that for this chapter's project I will need to have switched on magic quotes or use addslashes() and stripslashes(). So I checked via phpinfo() and found magic_quotes_gpc On, but magic_quotes_runtime and magic_quotes_sybase both Off. Now I'm guessing that magic_quotes_runtime is the one I need to have on, but is that so? I'm also guessing that aside from using addslashes() and stripslashes(), I could prob'ly turn on magic_quotes in php_ini. But perhaps because of how I've heard turning register_globals on via php.ini is a security hazard, I'm leery of messing with php.ini at all. Can anyone advise, please? Thank you. Steve Tiano -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes
I've continued plowing my way thru the 2nd edition of PHP and MySQL Web Development by Welling and Thomson. I've made it to chapter 24, where I've just read that for this chapter's project I will need to have switched on magic quotes or use addslashes() and stripslashes(). So I checked via phpinfo() and found magic_quotes_gpc On, but magic_quotes_runtime and magic_quotes_sybase both Off. Now I'm guessing that magic_quotes_runtime is the one I need to have on, but is that so? I'm also guessing that aside from using addslashes() and stripslashes(), I could prob'ly turn on magic_quotes in php_ini. But perhaps because of how I've heard turning register_globals on via php.ini is a security hazard, I'm leery of messing with php.ini at all. Can anyone advise, please? Thank you. Steve Tiano -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes
Hi. This is the qmail-send program at pb1.pair.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. [EMAIL PROTECTED]: This message is looping: it already has my Delivered-To line. (#5.4.6) --- Below this line is a copy of the message. Return-Path: [EMAIL PROTECTED] Received: (qmail 36829 invoked from network); 22 Dec 2003 01:11:34 - Received: from unknown (HELO dswu83.btconnect.com) (193.113.154.14) by pb1.pair.com with SMTP; 22 Dec 2003 01:11:34 - Received: from gateway.btopenworld.com (actually host 185.136.40.217.in-addr.arpa) by dswu83 with SMTP-CUST (XT-PP) with ESMTP; Mon, 22 Dec 2003 01:14:14 + Received: from gateway (127.0.0.1) by gateway.btopenworld.com (Worldmail 1.3.167) for [EMAIL PROTECTED]; 22 Dec 2003 01:20:25 + Delivery-Date: Mon, 22 Dec 2003 01:03:13 + Received: from pb1.pair.com (actually host 4.131.92.216.in-addr.arpa) by dswu27 with SMTP (XT-PP); Mon, 22 Dec 2003 01:03:04 + Received: (qmail 19780 invoked by uid 1010); 22 Dec 2003 01:04:24 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: [EMAIL PROTECTED] list-unsubscribe: [EMAIL PROTECTED] list-post: [EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Received: (qmail 19767 invoked by uid 1010); 22 Dec 2003 01:04:24 - Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Sun, 21 Dec 2003 20:04:15 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] MIME-version: 1.0 X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.16 (built May 14 2003) Content-type: text/plain; charset=us-ascii Content-language: en Content-transfer-encoding: 7BIT Content-disposition: inline X-Accept-Language: en Priority: normal Subject: [PHP] Magic Quotes I've continued plowing my way thru the 2nd edition of PHP and MySQL Web Development by Welling and Thomson. I've made it to chapter 24, where I've just read that for this chapter's project I will need to have switched on magic quotes or use addslashes() and stripslashes(). So I checked via phpinfo() and found magic_quotes_gpc On, but magic_quotes_runtime and magic_quotes_sybase both Off. Now I'm guessing that magic_quotes_runtime is the one I need to have on, but is that so? I'm also guessing that aside from using addslashes() and stripslashes(), I could prob'ly turn on magic_quotes in php_ini. But perhaps because of how I've heard turning register_globals on via php.ini is a security hazard, I'm leery of messing with php.ini at all. Can anyone advise, please? Thank you. Steve Tiano -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Magic Quotes
I've continued plowing my way thru the 2nd edition of PHP and MySQL Web Development by Welling and Thomson. I've made it to chapter 24, where I've just read that for this chapter's project I will need to have switched on magic quotes or use addslashes() and stripslashes(). So I checked via phpinfo() and found magic_quotes_gpc On, but magic_quotes_runtime and magic_quotes_sybase both Off. Now I'm guessing that magic_quotes_runtime is the one I need to have on, but is that so? I'm also guessing that aside from using addslashes() and stripslashes(), I could prob'ly turn on magic_quotes in php_ini. But perhaps because of how I've heard turning register_globals on via php.ini is a security hazard, I'm leery of messing with php.ini at all. Can anyone advise, please? Thank you. Steve Tiano mail2web - Check your email from the web at http://mail2web.com/ . -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Magic Quotes
[EMAIL PROTECTED] wrote: I've continued plowing my way thru the 2nd edition of PHP and MySQL Web Development by Welling and Thomson. I've made it to chapter 24, where I've just read that for this chapter's project I will need to have switched on magic quotes or use addslashes() and stripslashes(). So I checked via phpinfo() and found magic_quotes_gpc On, but magic_quotes_runtime and magic_quotes_sybase both Off. Now I'm guessing that magic_quotes_runtime is the one I need to have on, but is that so? I'm also guessing that aside from using addslashes() and stripslashes(), I could prob'ly turn on magic_quotes in php_ini. The book is talking about magic_quotes_gpc, which you say is already on. The runtime version applies to data coming _out_ of the database (which is usually kept off) and sybase refers to escaping single quotes with another single quote (instead of the normal backslash). If you're using MySQL, you don't need the sybase directive on. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] magic quotes
Hello, I am running a test server and a live system. both do have the same php version running. The test system however does not report a db error if I try to insert a string containing a ' The live system does. As I learned from php.ini magic quotes are turned off on both systems. So what could be the cause? Thanx for any help on that, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Hello, This is a reply to an e-mail that you wrote on Tue, 22 Jul 2003 at 20:36, lines prefixed by '' were originally written by you. Hello, I am running a test server and a live system. both do have the same php version running. The test system however does not report a db error if I try to insert string containing a ' The live system does. As I learned from php.ini magic quotes are turned off on both systems. what could be the cause? Are you escaping all strings that are used in db queries with the appropiate function for your database server, e.g. for mySql, mysql_escape_string() http://uk2.php.net/mysql_escape_string David -- phpmachine :: The quick and easy to use service providing you with professionally developed PHP scripts :: http://www.phpmachine.com/ Professional Web Development by David Nicholson http://www.djnicholson.com/ QuizSender.com - How well do your friends actually know you? http://www.quizsender.com/ (developed entirely in PHP) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
--- Merlin [EMAIL PROTECTED] wrote: As I learned from php.ini magic quotes are turned off on both systems. As a first step, make sure the output of phpinfo() agrees with your analysis. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
I just found, that one server pulls the data out of the db and leaves the slashes inside the text, while the other one does not. both of the phpinfo look same to me. However I might have overlooked something. I do use addslashes to escape the characters. Anny suggestions? Chris Shiflett [EMAIL PROTECTED] schrieb im Newsbeitrag news:[EMAIL PROTECTED] --- Merlin [EMAIL PROTECTED] wrote: As I learned from php.ini magic quotes are turned off on both systems. As a first step, make sure the output of phpinfo() agrees with your analysis. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Hello, This is a reply to an e-mail that you wrote on Tue, 22 Jul 2003 at 20:53, lines prefixed by '' were originally written by you. I just found, that one server pulls the data out of the db and leaves the slashes inside the text, while the other one does not. both of the phpinfo look same to me. However I might have overlooked something. Sounds like one server is adding the slashes twice then, possibly once by magic quotes and once by your call to addslashes. Double check your php.ini and phpinfo() output to see if magic quotes is on. David. -- phpmachine :: The quick and easy to use service providing you with professionally developed PHP scripts :: http://www.phpmachine.com/ Professional Web Development by David Nicholson http://www.djnicholson.com/ QuizSender.com - How well do your friends actually know you? http://www.quizsender.com/ (developed entirely in PHP) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
-Original Message- From: Chris Hewitt [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 09:26 To: Justin French [snip] What I have done is to do the addslashes/stripslashes assuming magic_quotes_runtime is off then force it off within my code beforehand with: if (ini_get('magic_quotes_runtime') == 1) { if (ini_set('magic_quotes_runtime','Off') == false) { echo ERROR: Could not turn off magic_quotes_runtime\n; } } I found that ini_set would through an error if the seting was already made, hence the initial check. So far this seems OK, but it was only yesterday... Something bugged me about this code and comment when I very first read it, but it's taken an overnight cogitate to work out what it was. Dare I venture that your previous code, which sometimes appeared to throw an error, was simply: if (ini_set('magic_quotes_runtime','Off') == false) { echo ERROR: Could not turn off magic_quotes_runtime\n; } ? If so, there's a fundamental flaw here: as ini_set is defined to return the previous value of the setting, or FALSE if it fails, a simple equality comparison (==) to FALSE will succeed whenever the ini_set fails *or when the previous value was 0 (off)*. To echo your error only when ini_set() genuinely returns FALSE, you must do an identity comparison (===). rant-ish It can *never* be good practice to make an equality (==) or non-equality (!=) comparison with TRUE or FALSE. Not only is this bad style, but it is also inefficient. Consider: if ($x==TRUE) (where $x can be any arbitrary expression). PHP must first retrieve the value of $x, convert it to Boolean (giving TRUE or FALSE) and then compare it to TRUE -- yielding TRUE if $x was, er, TRUE and FALSE if $x was, duh, FALSE. That's a whole extra unnecessary comparison, plus some obfuscation for humans reading the code. So just use: if ($x) Taking the converse: if ($x==FALSE) this isn't quite so clear-cut. PHP will retrieve the Boolean value of $x (TRUE or FALSE), then compare it to FALSE, yielding TRUE if $x was FALSE, FALSE if it was TRUE. It's not immediately clear, but this comparison will usually be more expensive than just doing a Boolean not (!) on the expression. Stylistically, it's usually also clearer to read as if (!$x) -- IMO, it's better to have the clue that you're looking for the inverse value at the front, and read it as if not $x. (Well, I suppose you could also write if (FALSE==$x), but personally I think that's just as bad as the other way round!) Finally, if you never have an == or != comparison to TRUE or FALSE, the rare occasion when you actually need to do an === or !== test will be very obvious and will alert someone reading the code (yes, even yourself several months later!) that something special is going on. /rant-ish Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Ford, Mike [LSS] wrote: -Original Message- From: Chris Hewitt [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 09:26 To: Justin French [snip] What I have done is to do the addslashes/stripslashes assuming magic_quotes_runtime is off then force it off within my code beforehand with: if (ini_get('magic_quotes_runtime') == 1) { if (ini_set('magic_quotes_runtime','Off') == false) { echo ERROR: Could not turn off magic_quotes_runtime\n; } } I found that ini_set would through an error if the seting was already made, hence the initial check. So far this seems OK, but it was only yesterday... Something bugged me about this code and comment when I very first read it, but it's taken an overnight cogitate to work out what it was. Dare I venture that your previous code, which sometimes appeared to throw an error, was simply: if (ini_set('magic_quotes_runtime','Off') == false) { echo ERROR: Could not turn off magic_quotes_runtime\n; } ? If so, there's a fundamental flaw here: as ini_set is defined to return the previous value of the setting, or FALSE if it fails, a simple equality comparison (==) to FALSE will succeed whenever the ini_set fails *or when the previous value was 0 (off)*. To echo your error only when ini_set() genuinely returns FALSE, you must do an identity comparison (===). Yes, that was my previous code and you are right, its not right! I'll change it and thanks for letting me know. Regards Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
So, 1. turn ON runtime and gpc No, leave them off if your code runs fine without them. You'll save resources if you do the addslashes() yourself to only the fields that need it instead of everything. I see no reason at all to ever have runtime ON. It will escape data coming _from_ the database so then you'd have to stripslash() it to display it. Waste of time if you ask me. 2. only addslashes() when inserting into the database IF get_magic_quotes_runtime() is 0 (false) No... use addslashes() if get_magic_quotes_gpc is 0 (false). When it's off, it means incoming GET, POST, and COOKIE data will not have quotes escaped. Use addslashes() on the data that needs it before you insert it into the database. 3. only stripslashes() when retrieving from the database IF get_magic_quotes_runtime() is 0 (false) No. You'll need to stripslashes() data coming from your database when get_magic_quotes_runtime() is 1 (true). If it's off, the data coming from the database should not have any slashes in it at all. If it does, like Phillip said, then you're running addslashes() twice somehow. If you look at the raw data inside your database and see values like It\'s then you're running addslashes() twice somehow. With magic_quotes_runtime enabled (true, 1) then data such as It's in the database will be returned to your script as It\'s. Right so far? I think you struck out. :) Then I need to know how to fix up possible mistakes in the past. What should I do to the current data in multiple tables which may or may not have had the addslashes() done twice. Any one got some cool code??? You should just be able to do an UPDATE for each column and use REPLACE to change \' to just ' (and the same for double quotes, if necessary). You'll have to do it for each column in each table that's affected, though... You could write a little PHP script to do it for you. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
That's exactly what magic_quotes_runtime does. It adds slashes to data at runtime - including data returned from functions such as mysql_fetch_(assoc/row/array/object). Justin French wrote: Hi all, Can I just have a quick head check on magic quotes runtime (gpc)? I have them both set to Off currently, and my pages work fine. However, when I set them to on, I end up with slashes throughout the mysql data. Is this the expected behaviour? Seems counter-intuitive to me, but I've never really cared about it 'till today, because i've never had a problem!! What is a common setting for these two directives, so that I can have my LAN server *reasonably* normal. TIA Justin -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Justin French wrote: Hi all, Can I just have a quick head check on magic quotes runtime (gpc)? I have them both set to Off currently, and my pages work fine. However, when I set them to on, I end up with slashes throughout the mysql data. Is this the expected behaviour? Seems counter-intuitive to me, but I've never really cared about it 'till today, because i've never had a problem!! What is a common setting for these two directives, so that I can have my LAN server *reasonably* normal. The defaults are runtime off and gpc on. As you refer specifically to slashes in mysql data I assume that the runtime one is more relevant to what you are doing. If your code runs properly with runtime off then you are doing the addslashes/stripslashes as intended. With the same code and runtime on then you will get double slashes. I had reason to look at this in the manual yesterday and it seems the magic_quotes_runtime turned on is aimed more at beginners (but I could be wrong). What I have done is to do the addslashes/stripslashes assuming magic_quotes_runtime is off then force it off within my code beforehand with: if (ini_get('magic_quotes_runtime') == 1) { if (ini_set('magic_quotes_runtime','Off') == false) { echo ERROR: Could not turn off magic_quotes_runtime\n; } } I found that ini_set would through an error if the seting was already made, hence the initial check. So far this seems OK, but it was only yesterday... If anyone else has a better suggestion, I'd be pleased to hear it. HTH Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Hi Philip, Thanks for taking the time... $me = confused; ...but rather than attempting to get a grip on the past, I need a solution for the future :) So, 1. turn ON runtime and gpc 2. only addslashes() when inserting into the database IF get_magic_quotes_runtime() is 0 (false) 3. only stripslashes() when retrieving from the database IF get_magic_quotes_runtime() is 0 (false) Right so far? Then I need to know how to fix up possible mistakes in the past. What should I do to the current data in multiple tables which may or may not have had the addslashes() done twice. Any one got some cool code??? Justin on 03/04/03 6:43 PM, Philip Olson ([EMAIL PROTECTED]) wrote: On Thu, 3 Apr 2003, Justin French wrote: Hi all, Can I just have a quick head check on magic quotes runtime (gpc)? I have them both set to Off currently, and my pages work fine. However, when I set them to on, I end up with slashes throughout the mysql data. This means you essentially ran addslashes() twice before insertion. Don't do that. You should never ever have to strip slashes from data already in the database. Is this the expected behaviour? Seems counter-intuitive to me, but I've never really cared about it 'till today, because i've never had a problem!! No, only add slashes once. Do this with a function like addslashes() OR do it magically. Once. What is a common setting for these two directives, so that I can have my LAN server *reasonably* normal. Defaults to on so I guess that's normal. See also get_magic_quotes_gpc()... Regards, Philip --- [This E-mail scanned for viruses] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] magic quotes
Hi all, Can I just have a quick head check on magic quotes runtime (gpc)? I have them both set to Off currently, and my pages work fine. However, when I set them to on, I end up with slashes throughout the mysql data. Is this the expected behaviour? Seems counter-intuitive to me, but I've never really cared about it 'till today, because i've never had a problem!! What is a common setting for these two directives, so that I can have my LAN server *reasonably* normal. TIA Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
On Thu, 3 Apr 2003, Justin French wrote: Hi all, Can I just have a quick head check on magic quotes runtime (gpc)? I have them both set to Off currently, and my pages work fine. However, when I set them to on, I end up with slashes throughout the mysql data. This means you essentially ran addslashes() twice before insertion. Don't do that. You should never ever have to strip slashes from data already in the database. Is this the expected behaviour? Seems counter-intuitive to me, but I've never really cared about it 'till today, because i've never had a problem!! No, only add slashes once. Do this with a function like addslashes() OR do it magically. Once. What is a common setting for these two directives, so that I can have my LAN server *reasonably* normal. Defaults to on so I guess that's normal. See also get_magic_quotes_gpc()... Regards, Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] magic quotes runtime and gpc -- difference?
Hi all, I'm attempting to find some documentation on magic_quotes_runtime and magic_quotes_gpc -- what's the difference? Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] magic quotes
What are magic quotes? Will this help me? http://news.php.net/article.php?group=php.generalarticle=126934 How is this different from stripslashes. I have RTF doc :) http://www.php.net/manual/en/function.get-magic-quotes-gpc.php Be gentil ::p -- John Taylor-Johnston - If it's not open-source, it's Murphy's Law. - Université de Sherbrooke: http://compcanlit.ca/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
Hi, Thursday, December 5, 2002, 3:39:20 AM, you wrote: JTJ What are magic quotes? Will this help me? JTJ http://news.php.net/article.php?group=php.generalarticle=126934 JTJ How is this different from stripslashes. JTJ I have RTF doc :) JTJ http://www.php.net/manual/en/function.get-magic-quotes-gpc.php JTJ Be gentil ::p JTJ -- JTJ John Taylor-Johnston JTJ - JTJ If it's not open-source, it's Murphy's Law. JTJ- Université de Sherbrooke: JTJ http://compcanlit.ca/ magic quotes are slashes that are added to post and get data by PHP That is probably what is stuffing up :) I replied to an earlier thread with a possible solution but here it is again... function clean_search_string($s){ $s = stripslashes($s); $state = 'S'; $len = strlen($s); $out = ''; $list = array(); for($i=0;$i$len;$i++){ switch($state){ case 'S': switch($s[$i]){ case ' ': break; case '': $state = 'Q'; break; case ': $state = 'q'; break; default: $state = 'W'; $out .= $s[$i]; break; } break; case 'W': switch($s[$i]){ case ' ': $state = 'S'; $out = addslashes($out); $list[] = $out; $out = ''; break; default: $out .= $s[$i]; break; } break; case 'Q': switch($s[$i]){ case '': $state = 'S'; $out = ''.addslashes($out).''; $list[] = $out; $out = ''; break; default: $out .= $s[$i]; break; } break; case 'q': switch($s[$i]){ case ': $state = 'S'; $out = ''.addslashes($out).''; $list[] = $out; $out = ''; break; default: $out .= $s[$i]; break; } break; } } if(!empty($out)) $list[] = addslashes($out);; $r = ''; $x = 0; while(list($key,$val)=each($list)){ $r .= $val.' '; } return $r; } $test = addslashes(' +test hello maria fish '.-O'Brian 'big \ test'); $list = clean_search_string($test); echo $list.'br'; you will then just need SELECT.. AGAINST '$list' -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] magic quotes
magic_quotes_gpc is simple, it essentially runs addslashes on all GET, POST and COOKIE data. That's it. http://www.php.net/ref.info#ini.magic-quotes-gpc http://www.php.net/addslashes http://www.php.net/variables.external Not sure about your problem, maybe someone else can help. Regards, Philip On Wed, 4 Dec 2002, John Taylor-Johnston wrote: What are magic quotes? Will this help me? http://news.php.net/article.php?group=php.generalarticle=126934 How is this different from stripslashes. I have RTF doc :) http://www.php.net/manual/en/function.get-magic-quotes-gpc.php Be gentil ::p -- John Taylor-Johnston - If it's not open-source, it's Murphy's Law. - Université de Sherbrooke: http://compcanlit.ca/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Tom: [PHP] magic quotes
Tom, Sorry for the delay. I have tried your code. SELECT id,AU,ST,BT,AT FROM ccl_main WHERE MATCH (TNum,YR,AU,ST,SD,BT,BC,AT,PL,PR,PG,LG,AUS,KW,GEO,AN,RB,CO) AGAINST ('ready maria ' IN BOOLEAN MODE) ORDER BY id asc Without the space, as with addslashes, MySQL won't compute the sql. This is the echo $sql. There is an extra space before the final single quote. Nonetheless, $sql = 'SELECT id,AU,ST,BT,AT FROM '.$table.' WHERE MATCH (TNum,YR,AU,ST,SD,BT,BC,AT,PL,PR,PG,LG,AUS,KW,GEO,AN,RB,CO) AGAINST (\''.clean_search_string($search).'\' IN BOOLEAN MODE) ORDER BY id asc'; MySQL still thinks it is receiving A boolean +ready and + maria http://ccl.flsh.usherb.ca/print/index.html I'm just dumbfounded. Tom Rogers wrote: Hi, Thursday, December 5, 2002, 3:39:20 AM, you wrote: JTJ What are magic quotes? Will this help me? JTJ http://news.php.net/article.php?group=php.generalarticle=126934 JTJ How is this different from stripslashes. JTJ I have RTF doc :) JTJ http://www.php.net/manual/en/function.get-magic-quotes-gpc.php JTJ Be gentil ::p JTJ -- JTJ John Taylor-Johnston JTJ - JTJ If it's not open-source, it's Murphy's Law. JTJ- Université de Sherbrooke: JTJ http://compcanlit.ca/ magic quotes are slashes that are added to post and get data by PHP That is probably what is stuffing up :) I replied to an earlier thread with a possible solution but here it is again... function clean_search_string($s){ $s = stripslashes($s); $state = 'S'; $len = strlen($s); $out = ''; $list = array(); for($i=0;$i$len;$i++){ switch($state){ case 'S': switch($s[$i]){ case ' ': break; case '': $state = 'Q'; break; case ': $state = 'q'; break; default: $state = 'W'; $out .= $s[$i]; break; } break; case 'W': switch($s[$i]){ case ' ': $state = 'S'; $out = addslashes($out); $list[] = $out; $out = ''; break; default: $out .= $s[$i]; break; } break; case 'Q': switch($s[$i]){ case '': $state = 'S'; $out = ''.addslashes($out).''; $list[] = $out; $out = ''; break; default: $out .= $s[$i]; break; } break; case 'q': switch($s[$i]){ case ': $state = 'S'; $out = ''.addslashes($out).''; $list[] = $out; $out = ''; break; default: $out .= $s[$i]; break; } break; } } if(!empty($out)) $list[] = addslashes($out);; $r = ''; $x = 0; while(list($key,$val)=each($list)){ $r .= $val.' '; } return $r; } $test = addslashes(' +test hello maria fish '.-O'Brian 'big \ test'); $list = clean_search_string($test); echo $list.'br'; you will then just need SELECT.. AGAINST '$list' --