Our site is using PHP Version 5.2.14
Lately our hoster probably changed magic-quote defenition, and I came up with the suggested solution [code bellow]
- Is this solution OK for PHP Version 5.2.14 ?
- What should I change when we upgrade to PHP version 6 ?
// Code:
function fHandleQuotes($s) {
if (get_magic_quotes_gpc())
return ($s);
return (addslashes($s));
}
. . .
// Usage:
. . .
$query = "UPDATE myTable SET myField = '" . fHandleQuotes($_POST['fieldName']) . "'";
. . .
In PHP 6 magic_quotes will be removed!
Now you can use this function.
if( ( function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc() ) || ini_get('magic_quotes_sybase') ){
foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
foreach($_COOKIE as $k => $v) $_COOKIE[$k] = stripslashes($v);
}
Read this and why you shouldn't use magic quotes:
http://php.net/manual/en/security.magicquotes.disabling.php
Use one of the examples on that page and replace stripslashes
with addslashes
. But yes, your solution probably works. Though it would be faster and less intrusive to just use $_GET = array_map("addslashes", $_GET);
once at startup. Even better would be to use mysql_real_escape_string
instead of addslashes
thereon. (But your database connection must already be established for this to work.)
Also I'd like to spamrecommend you this: http://sourceforge.net/p/php7framework/wiki/input/ - because it allows you to progressively rewrite your application to use $_GET->q["fieldName"]
for (not so secure) magic quoted fields, or simply $_POST->sql["fieldName"]
for (more secure) encoded fields.
You can even use $_REQUEST->sql->always()
to enable the filter per default for all normal $_REQUEST["fieldName"]
accesses. Though that might be overkill for some applications.