SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2003
    Location
    Spain
    Posts
    65
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question get_magic_quotes_gpc and stripslashes functions

    im relatively new to php and im looking at implementing a login script, i've got most of it understood however these functions confuse me

    im going through two different scripts to get an idea how they work and they both use get_magic_quotes_gpc and stripslashes

    the scripts are at http://evolt.org/article/rdf/17/60265/index.html and http://www.free2code.net/tutorials/p...4/phplogin.php

    i dont understand the reasoning for their use, is it security or just to ensure that no script is broken when a users values contains " or ' or is it because some fields are md5 encrypted?

    the part of the code in question is:
    PHP Code:
    // remember, $_SESSION['password'] will be encrypted.
        
    if(!get_magic_quotes_gpc()) {
            
    $_SESSION['username'] = addslashes($_SESSION['username']);
        }


        
    // addslashes to session username before using in a query.
        
    $pass $db_object->query("SELECT password FROM users WHERE username = '".$_SESSION['username']."'");

        if(
    DB::isError($pass)) {
            
    $logged_in 0;
            unset(
    $_SESSION['username']);
            unset(
    $_SESSION['password']);
            
    // kill incorrect session variables.
        
    }

        
    $db_pass $pass->fetchRow();

        
    // now we have encrypted pass from DB in 
        //$db_pass['password'], stripslashes() just incase:

        
    $db_pass['password'] = stripslashes($db_pass['password']);
        
    $_SESSION['password'] = stripslashes($_SESSION['password']); 
    i've had a look at the php manual, its good at telling me what they do but now how they are best used and why

    thanks for any help

  2. #2
    SitePoint Zealot mdavis1982's Avatar
    Join Date
    Mar 2004
    Location
    Stoke-on-Trent
    Posts
    109
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi...

    You should always check your user's entries with get_magic_quotes_gpc() for your own security. By using this, you prevent your site from suffering from SQL Injection Attacks...

    Trust me, it's always a good idea to use get_magic_quotes_gpc() rather than assuming it's on or off in the php.ini file that your hosting company provide you with!

    Hope this helps?!

    Cheers,

    Matt

  3. #3
    SitePoint Enthusiast
    Join Date
    Jun 2003
    Location
    Spain
    Posts
    65
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for your reply

    i've just read the pink goblin article which has gone some way to explain the problem

    say i turned it off via .htaccess would that then mean i just use addslashes to any user input into mysql and that would be enough?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •