magic quotes

[yebaws]

Hello,

I am getting a lot of added backslashes in data that has been inserted and then modified and called from a database. When sending to the database I have been using mysql_real_escape_string. As I understand it, when I use this, backslashes will be inserted in front of quotes etc before the query is sent to the database, but these backslashes will then be removed and not stored in the database. So that when I call the data again I should get no backslashes and not need to use stripslashes. I'm guessing that the slashes mean that my php installation must have magic quotes turned on (I can see that there *are* backslashes in the db).

1. Other than asking my ISP (which takes a looooong time) is there a quick way to tell if magic quotes is turned on?
2. And if it is turned on, can I safely dispense with mysql_real_escape_string to get rid of my backslashes?

 

[vacunita]

Create a page that just has the following in it:

<?PHP
phpinfo();
?>

Upload it your website, and run it.

It should tell you all you need to know about the php installation including whether or not magic quotes is turned on.

for any further assistance with PHP post in forum434

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[johnwm]

? Use phpinfo() ?

If you want the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller

 

[vacunita]

Yes, mysql_real_escape_string is a PHP function to escape strings before using them in a query. Its mysql related function but is used from PHP.

magic_quotes is also a PHP setting.

Hence using PHP info will generate the information needed by the OP.

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[yebaws]

thanks,

the result shows the "local" magic_quotes_gpc is on, "master" is off. So basically it is on for my site...

so back to my original questions: can I now safely dispense with mysql_real_escape_string to get rid of my backslashes?

 

[vacunita]

No, as per the Note in the PHP online manual:

Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data.

So run your data thorugh stripslashes before running it though mysql_real_escape_string.

mysql_real_escape_string should always be used on data that is to be used in a query to avoid sql injections and other attacks to the DB.

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[AdaHacker]

can I now safely dispense with mysql_real_escape_string to get rid of my backslashes?

I wouldn't recommend that either. For one thing, it makes your code fragile, as a simple change in configuration can completely break everything. For another, magic quotes will be deprecated in PHP 5.3 and removed from PHP 6.0, so it would be better to future-proof your code by not relying on them.

The best solution would be to just turn magic quotes off. You can do this yourself in a .htaccess file, if your host allows that, or just have the hosting company do it. And if you can't get them turned off, I would just account for them in your data access layer, i.e. have it run stripslashes() if magic quotes are on.

 

[yebaws]

thanks - just turning of magic quotes is definitely the simplest way to go...