On Thu, 9 Aug 2007 00:29:15 -0500 (CDT), "Richard Lynch" wrote:
> Problem #7:
> Magic Quotes was designed for the ASCII character set, and is
> downright dangerous to use for anything else (Unicode/UTF-8/etc).
> ...
> [Though maybe not, as maybe addslashes can't do any harm to Unicode if
> there'
I added the code to my script and I still ended up escaped quotes.
if(ini_get('magic_quotes_gpc')) $_POST['data'] =
stripslashes($_POST['data']); Didn't work at all. I think I read something
about it not working on runtime data. Like gpc if this is correct do you
have another solution? I put th
On Thu, August 9, 2007 8:23 am, Bastien Koert wrote:
> you could use ini_set at the top of the script to turn the magic
> quotes off...
No, you could not.
Lonngg before ini_set is called, PHP has *already* applied
the Magic Quotes "feature" and munged your data.
:-)
--
Some people
On 09 August 2007 14:44, David Giragosian wrote:
> On 8/9/07, Bastien Koert <[EMAIL PROTECTED]> wrote:
> >
> >
> > you could use ini_set at the top of the script to turn the magic
> > quotes off...if you add this in a prepend file or a common included
> > file that sits at the top of the script,
On 8/9/07, Bastien Koert <[EMAIL PROTECTED]> wrote:
>
>
> you could use ini_set at the top of the script to turn the magic quotes
> off...if you add this in a prepend file or a common included file that sits
> at the top of the script, it should take care of the damn magic quotes...
Why might thi
AIL PROTECTED]> To: [EMAIL PROTECTED]> CC:
php-general@lists.php.net> Date: Wed, 8 Aug 2007 23:58:50 -0500> Subject: RE:
[PHP] magic quotes> > I added the code to my script and I still ended up
escaped quotes.> if(ini_get('magic_quotes_gpc')) $_POST['data'] =>
work
> either: php_flag magic_quotes_gpc off... Is there anyway possible? I
> don't
> need it now but it'd be nice to know for the future dev.
>
> Kevon K. Hayes
> 815-980-3435
> RFD, IL
>
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PR
27;s bookmarked.
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 09, 2007 12:29 AM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
On Thu, August 9, 2007 12:01 am, k3cheese wrote:
> I have an example, how using js can inst
On Thu, August 9, 2007 12:01 am, k3cheese wrote:
> I have an example, how using js can instantly remove chars you type.
> If I
> don't want quotes in the form fields the code in loop removes them.
> What's
> your take on this?
My take:
Problem #1:
It doesn't work very well for fields that actuall
ther: php_flag magic_quotes_gpc off... Is there anyway possible? I
> don't
> need it now but it'd be nice to know for the future dev.
>
> Kevon K. Hayes
> 815-980-3435
> RFD, IL
>
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PROTECTED]
> Sent:
o: '[EMAIL PROTECTED]'
Cc: 'php-general@lists.php.net'
Subject: RE: [PHP] magic quotes
I added the code to my script and I still ended up escaped quotes.
if(ini_get('magic_quotes_gpc')) $_POST['data'] =
stripslashes($_POST['data']); Didn't work
rom: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 11:49 PM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
.htaccess is only meaningful for Apache.
JavaScript is equally useless to Ajax for working around Magic Quotes.
On Wed, August 8, 2007 7:5
Sent: Tuesday, August 07, 2007 11:30 PM
> To: KVIGOR
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] magic quotes
>
> On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
>> If magic quotes is on and I dont have access to the php.ini.
>>
>> Is there any way I can
Cool,
That's very informative. You guys ROCK!
-Original Message-
From: Chris [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 5:16 PM
To: k3cheese
Cc: [EMAIL PROTECTED]; php-general@lists.php.net
Subject: Re: [PHP] magic quotes
k3cheese wrote:
> Thanks,
>
>
k3cheese wrote:
Thanks,
Met javascript not ajax. I had AJAX on the brain do to a project I'm working
on. So I'm assuming there is a library of functions to use with the
.htaccess file? Cause it looks like you can use UNIX and PHP to edit this
file?
htaccess files can do lots of things.
http:
al Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 07, 2007 11:30 PM
To: KVIGOR
Cc: php-general@lists.php.net
Subject: Re: [PHP] magic quotes
On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
> If magic quotes is on and I dont have access to the php.ini.
>
> Is
On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
> If magic quotes is on and I dont have access to the php.ini.
>
> Is there any way I can strip quotes from the form field with out using
> AJAX?
Best: Use .htaccess to turn magic_quotes off.
Okay: Use something like if (ini_get('magic_quotes_gpc')) $da
gt; Ta
> Steve
>
> -Original Message-
> From: Richard Heyes [mailto:[EMAIL PROTECTED]
> Sent: 17 July 2007 12:25
> To: Phil Princely
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] magic quotes
>
>> What do people on this list usually do with this kind of p
On Tue, July 17, 2007 5:30 am, Phil Princely wrote:
> I've been having a problem with a setting on a test server and
> production server. My test server has magic_quotes_gpc off, but the
> production server has it turned on. I've no access to the php.ini for
> the production server and don't want t
Phil Princely wrote:
thanks for all the help.
My code was wrong in the first post, I just copied it straight from
the web. This one works:
if (get_magic_quotes_gpc()) {
stripslashes_array($_GET);
stripslashes_array($_POST);
stripslashes_array($_REQUEST);
stripslashes_array($_COO
Phil Princely wrote:
What do people on this list usually do with this kind of problem. To
me, the .htaccess seems the easiest solution, since I don't have to
change any scripts.
I would certainly turn it off in php.ini or apache config files if
possible (the .htaccess line should be "php_flag
without having to worry about different .htaccess files for each.
Ta
Steve
-Original Message-
From: Richard Heyes [mailto:[EMAIL PROTECTED]
Sent: 17 July 2007 12:25
To: Phil Princely
Cc: php-general@lists.php.net
Subject: Re: [PHP] magic quotes
> What do people on this list usually do w
What do people on this list usually do with this kind of problem. To
me, the .htaccess seems the easiest solution, since I don't have to
change any scripts.
Use a .htaccess file, or if performance is any sort of concern, put it
in the server configuration files and turn off .htaccess files.
F
On Fri, February 23, 2007 12:04 pm, Liz Kim wrote:
> I've got all three Magic Quote directives turned off...
> When I use sql query to grab any string from a database, it still
> spits out
> the \ in front of the special characters..
Here's one possible scenario:
You *USED* to have Magic Quotes G
On 2/23/07, Liz Kim <[EMAIL PROTECTED]> wrote:
I've got all three Magic Quote directives turned off...
When I use sql query to grab any string from a database, it still spits
out
the \ in front of the special characters..
Any ideas?
thanks
What's it look like in the database?
David
Liz Kim wrote:
> I've got all three Magic Quote directives turned off...
> When I use sql query to grab any string from a database, it
> still spits out the \ in front of the special characters..
Turning off magic quotes doesn't repair the data already in your
database. It sounds like data has pre
This one time, at band camp, Angelo Zanetti <[EMAIL PROTECTED]> wrote:
should I enable magic_quotes_gpc or should I use
> addslashes() and stripslashes()?
magic quotes is disabled by default these days, and does not make for portable
code.
It is removed in PHP6
Kevin
--
"Democracy is two wol
Angelo Zanetti wrote:
> Hi guys.
> ... So on my live server should I enable
> magic_quotes_gpc or should I use addslashes() and stripslashes()?
>
> Thanks in advance.
In addition to all the other replies saying that magic quotes are evil
which I completely agree with, it should also be noted that
tedd wrote:
I do it by placing a text file at root named ".htaccess" with the
following
php_value magic_quotes_gpc 0
php_value magic_quotes_sybase 0
php_value magic_quotes_runtime 0
Only works if your web server allows you to do this. In Apache the
controlling option for this is:
Allow
Angelo Zanetti wrote:
Hi guys.
I've just read an article that gives a good explanation about escaping
single quote characters with slashes, the author then says that
magic_quotes_gpc can do this for you if enabled on your server, he then
he also mentions how if your magic_quotes_gpc are not t
At 2:37 PM -0800 4/5/06, Angelo Zanetti wrote:
Hi guys.
I've just read an article that gives a good explanation about
escaping single quote characters with slashes, the author then says
that magic_quotes_gpc can do this for you if enabled on your server,
he then he also mentions how if your m
Angelo Zanetti wrote:
So should i avoid magic_quotes_gpc all together?
In my opinion, yes.
my local development server has them enabled and when testing
the input of a textfield that does a select query I input 'hello'
(including single quotes) and it works really well with the
single quotes
IMHO,
it really depends on a couple of things...
1). how you use it
and 2). How much control you want...
If you have a single point of entry for database actions, like a class
that mimics the database structure and handles updates, inserts,
deletes, then it makes sense to turn them off to give
Hi Marco,
Thanks for the help, you gave me a place to start. Before doing what would
amount to a lot of coding to correct this problem throughout my site I
wanted to see if it could be corrected on the server side.
I found the following section in the php.ini file:
; As of 4.0b4, PHP always outp
Lance Earl wrote:
I recently upgraded my server. It is running Ubuntu Linux with PHP and
MySQL. My site allows people to post content to their own web oages
through a web interface. Many of my customers compose their content on a
word processer and then cust and paste it to the web interface for
Hello Lance--
On 8/5/05 2:18 PM, "Lance Earl" <[EMAIL PROTECTED]> wrote:
> I recently upgraded my server. It is running Ubuntu Linux with PHP and
> MySQL. My site allows people to post content to their own web oages
> through a web interface. Many of my customers compose their content on a
> word
On Thursday 10 February 2005 23:36, Ben Edwards (lists) wrote:
> The cleaning works but magic_quotes_runtime is false even if magic
> codes are on, any ideas?
There are at least two magic_quotes_* settings, make sure you are
referring to the correct one(s).
--
Jason Wong -> Gremlins Associates
Ben Edwards (lists) wrote:
> Am I correct in thinking Magic Quotes automatically adds quotes to all
> posted variables, therefore if you are displaying post variables on a
> form you have to remove the quotes. They are only needed if you are
> actually inserting/updating into the database. Wheth
Ben Edwards (lists) wrote:
On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
PS phpsc.net seems to be down, or is the domain wrong?
er yes, oops. as Jeffery pointed out it should have been
phpsec.org. had a brainfreeze sorry.
OK, trying to do a function to remove ma
On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote:
> Ben Edwards (lists) wrote:
> > PS phpsc.net seems to be down, or is the domain wrong?
>
> er yes, oops. as Jeffery pointed out it should have been
> phpsec.org. had a brainfreeze sorry.
OK, trying to do a function to remove magic quotes fr
On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote:
> Ben Edwards (lists) wrote:
> > Am I correct in thinking Magic Quotes automatically adds quotes to all
> > posted variables, therefore if you are displaying post variables on a
> > form you have to remove the quotes. They are only needed if yo
Jochem Maas wrote:
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
actually inserting/updating into the databa
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
actually inserting/updating into the database. Whether magic
On Wed, 26 Jan 2005 13:07:34 -0800 (PST), Richard Lynch <[EMAIL PROTECTED]>
wrote:
> Ben Edwards wrote:
> > On Tue, 25 Jan 2005 17:02:21 -0800, Chris <[EMAIL PROTECTED]>
> > wrote:
> >> You should probably use get_magic_quotes_runtime() , as _gpc only
> >> applies to GET/POST/COOKIE,
> >>
> >> htm
Ben Edwards wrote:
> On Tue, 25 Jan 2005 17:02:21 -0800, Chris <[EMAIL PROTECTED]>
> wrote:
>> You should probably use get_magic_quotes_runtime() , as _gpc only
>> applies to GET/POST/COOKIE,
>>
>> htmlspecialchars is needed so the HTML can be parsed properly:
>
> So this is this only done to stuf
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
> -Original Message-
> From: Ben Edwards [mailto:[EMAIL PROTECTED]
> Sent: 26 January 2005 10:15
>
> On Tue, 25 Jan 2005 17:02:21 -0800, Chris
> <[EMAIL PROTECTED]> wrote:
On Tue, 25 Jan 2005 17:02:21 -0800, Chris <[EMAIL PROTECTED]> wrote:
> You should probably use get_magic_quotes_runtime() , as _gpc only
> applies to GET/POST/COOKIE,
>
> htmlspecialchars is needed so the HTML can be parsed properly:
So this is this only done to stuff that is to be displayed on
You should probably use get_magic_quotes_runtime() , as _gpc only
applies to GET/POST/COOKIE,
htmlspecialchars is needed so the HTML can be parsed properly:
if the value in the text box was something like:
"> Hello World!
when you go to put in the value attribute it would end up:
Hello World!"
PS. How does htmlspecialchars fit into this. The unprep function is
to prepare date coming from the database to be used in http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit
Ben Edwards wrote:
> OK. This is really confusing me.
>
> I am using the following function to handle this:
>
> function prep( &$text ) {
> echo get_magic_quotes_gpc()." ";
> if (get_magic_quotes_gpc()) {
> echo "mq on for $text";
> return $text;
> } else {
> echo "mq off";
> ret
OK. This is really confusing me.
I am using the following function to handle this:
function prep( &$text ) {
echo get_magic_quotes_gpc()." ";
if (get_magic_quotes_gpc()) {
echo "mq on for $text";
return $text;
} else {
echo "mq off";
return addslashes($text);
}
I'm not quite sure I understand you...
The theory behind that function looks sound, but are you meaning to
return the value or pass it by reference and modify it?
Chris
Ben Edwards wrote:
OK. This is really confusing me.
I am using the following function to handle this:
function prep( &$text ) {
Ben Edwards wrote:
> In the php manual it states
>
> ' Keep in mind that the setting magic_quotes_gpc will not work at
> runtime.'
>
> What douse this actualy mean?
Translation:
If you try to use ini_set to change magic_quotes_gps in your .php script,
here's what happens:
Step 1: Apache/PHP set
It means that you can't set that setting inside a script with ini_set.
Since the earliest opportunity to set it in a script would be after it
would have already done it's job, it won't work.
You must set it before the script runs.
Chris
Ben Edwards wrote:
In the php manual it states
' Keep in m
Shaun wrote:
> function db_query($query) {
> if(!magic_quotes_gpc()){
> $qid = mysql_query(addslashes($query));
> } else {
> $qid = mysql_query($query);
> }
> return $qid;
> }
>
> But this adds too many slashes! Has anyone come to a better solution
> regarding this?
I believe you
Jeff McKeon wrote:
> So now the big question which will undoubtly spark a lot of opinions (I
> hope).
>
> We use apache/php/mysql based sites for internal management of our
> systems and would now like to give our customers direct access to manage
> their accounts via the web. Naturally this raise
Shaun wrote:
> function db_query($query) {
> if(!magic_quotes_gpc()){
> $qid = mysql_query(addslashes($query));
> } else {
> $qid = mysql_query($query);
> }
> return $qid;
> }
>
> But this adds too many slashes! Has anyone come to a better solution
> regarding this?
Can you give us
Try
$string = mysql_real_escape_string($string);
On 7 Dec 2004, at 14:12, Shaun wrote:
Hi,
I have been investigating the problem of apostrphes in a mysql insert /
update. I use a db_query function for all my queries:
function db_query($query) {
$qid = mysql_query($query);
return $qid;
}
It app
On Mon, 2004-12-06 at 16:22, Jeff McKeon wrote:
> So now the big question which will undoubtly spark a lot of opinions (I
> hope).
>
> We use apache/php/mysql based sites for internal management of our
> systems and would now like to give our customers direct access to manage
> their accounts via
So now the big question which will undoubtly spark a lot of opinions (I
hope).
We use apache/php/mysql based sites for internal management of our
systems and would now like to give our customers direct access to manage
their accounts via the web. Naturally this raises security concerns.
>From th
>> The thing that always kills me is when programmers call stripslashes on
>> data that comes *OUT* of MySQL. No, no, no, no. Whatever it is you
>> did,
>> or think you are doing, or think you are fixing, that's WRONG.
>>
>> Maybe you called addslashes twice, once with Magic Quotes, and once "by
* Richard Lynch <[EMAIL PROTECTED]>:
> Jeff McKeon wrote:
> > Does having magic-quotes=on prevent an attacker from using a urlized sql
> > inject query?
>
> Not likely.
>
> Magic Quotes is a convenience feature, not a security feature.
>
> Magic Quotes is oft-understood, even by journeymen PHP prog
On Mon, 2004-12-06 at 13:47, Jeff McKeon wrote:
> Assuming I have no portability needs and have magic_quotes=on, can you
> elaborate on "somewhat?"
Somewhat... till someone comes along and changes your php.ini, or you
transfer your code to another server and forget to enable magic quotes.
At whic
Jeff McKeon wrote:
> Does having magic-quotes=on prevent an attacker from using a urlized sql
> inject query?
Not likely.
Magic Quotes is a convenience feature, not a security feature.
Magic Quotes is oft-understood, even by journeymen PHP programmers.
Magic Quotes takes all incoming POST/GET d
> -Original Message-
> From: Robert Cummings [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 06, 2004 1:45 PM
> To: Jeff McKeon
> Cc: PHP-General
> Subject: Re: [PHP] Magic-quotes
>
>
> On Mon, 2004-12-06 at 12:57, Jeff McKeon wrote:
> > Does
On Mon, 2004-12-06 at 12:57, Jeff McKeon wrote:
> Does having magic-quotes=on prevent an attacker from using a urlized sql
> inject query?
Somewhat, but I think magic_quotes=off is the preferred style since
magic quotes are a big headache for portability. At any rate,
understanding what you are do
[EMAIL PROTECTED] wrote:
I've continued plowing my way thru the 2nd edition
of PHP and MySQL Web Development by Welling and
Thomson. I've made it to chapter 24, where I've just
read that for this chapter's project I "will need to
have switched on magic quotes" or use addslashes()
and stripslashes(
Hello,
This is a reply to an e-mail that you wrote on Tue, 22 Jul 2003 at
20:53, lines prefixed by '>' were originally written by you.
> I just found, that one server pulls the data out of the db and
leaves
> the
> slashes inside the text, while the other one does not.
> both of the phpinfo look s
I just found, that one server pulls the data out of the db and leaves the
slashes inside the text, while the other one does not.
both of the phpinfo look same to me. However I might have overlooked
something.
I do use addslashes to escape the characters.
Anny suggestions?
"Chris Shiflett" <[EMA
--- Merlin <[EMAIL PROTECTED]> wrote:
> As I learned from php.ini magic quotes are turned off on both systems.
As a first step, make sure the output of phpinfo() agrees with your analysis.
Chris
=
Become a better Web developer with the HTTP Developer's Handbook
http://httphandbook.org/
--
Hello,
This is a reply to an e-mail that you wrote on Tue, 22 Jul 2003 at
20:36, lines prefixed by '>' were originally written by you.
> Hello,
> I am running a test server and a live system. both do have the
same
> php
> version running.
> The test system however does not report a db error if I t
Ford, Mike [LSS] wrote:
-Original Message-
From: Chris Hewitt [mailto:[EMAIL PROTECTED]
Sent: 03 April 2003 09:26
To: Justin French
[snip]
What I have done is to do the addslashes/stripslashes assuming
magic_quotes_runtime is off then force it off within my code
beforehand
with:
> -Original Message-
> From: Chris Hewitt [mailto:[EMAIL PROTECTED]
> Sent: 03 April 2003 09:26
> To: Justin French
[snip]
>
> What I have done is to do the addslashes/stripslashes assuming
> magic_quotes_runtime is off then force it off within my code
> beforehand
> with:
>
>
> So,
>
> 1. turn ON runtime and gpc
No, leave them off if your code runs fine without them. You'll save
resources if you do the addslashes() yourself to only the fields that
need it instead of everything. I see no reason at all to ever have
runtime ON. It will escape data coming _from_ the datab
Hi Philip,
Thanks for taking the time...
$me = "confused";
...but rather than attempting to get a grip on the past, I need a solution
for the future :)
So,
1. turn ON runtime and gpc
2. only addslashes() when inserting into the database IF
get_magic_quotes_runtime() is 0 (false)
3. only str
Justin French wrote:
Hi all,
Can I just have a quick head check on magic quotes runtime (&gpc)?
I have them both set to Off currently, and my pages work fine. However,
when I set them to on, I end up with slashes throughout the mysql data.
Is this the expected behaviour? Seems counter-intuitiv
That's exactly what magic_quotes_runtime does. It adds slashes to data
at runtime - including data returned from functions such as
mysql_fetch_(assoc/row/array/object).
Justin French wrote:
Hi all,
Can I just have a quick head check on magic quotes runtime (&gpc)?
I have them both set to O
On Thu, 3 Apr 2003, Justin French wrote:
> Hi all,
>
> Can I just have a quick head check on magic quotes runtime (&gpc)?
>
> I have them both set to Off currently, and my pages work fine. However,
> when I set them to on, I end up with slashes throughout the mysql data.
This means you essenti
magic_quotes_gpc is simple, it essentially runs
addslashes on all GET, POST and COOKIE data.
That's it.
http://www.php.net/ref.info#ini.magic-quotes-gpc
http://www.php.net/addslashes
http://www.php.net/variables.external
Not sure about your problem, maybe someone else can
help.
Regards,
Hi,
Thursday, December 5, 2002, 3:39:20 AM, you wrote:
JTJ> What are magic quotes? Will this help me?
JTJ> http://news.php.net/article.php?group=php.general&article=126934
JTJ> How is this different from stripslashes.
JTJ> I have RTF doc :)
JTJ> http://www.php.net/manual/en/function.get-magic-
On Thursday 14 November 2002 03:06, Paul Kaiser wrote:
> Greetings,
>
> Is there a performance penalty for having
>
> magic_quotes_runtime
>
> turned on all the time?
According to the notes in php.ini, magic_quotes_gpc is now disabled by default
because of performance reasons. So I suppose the sa
Richard,
It's the same record every time that shows the different behavior. The code
is extremely straightforward, just retrieve the record and display it. And,
I've got other scripts on the same host that also display this behavior
intermittantly.
MagicQuotes is turned on. And, it typically DOE
Unless I'm even more confused than usual about something I've long believed
to be true...
MagicQuotes does not ever strip slashes.
MagicQuotes does an addslashes before the data gets into the database.
Are you viewing the same record all the time, or is it possible that one of
your records has
83 matches
Mail list logo
