SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: Code Safe?

  1. #1
    SitePoint Zealot
    Join Date
    Mar 2007
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Code Safe?

    I use the following which I have seen in tutorials across the web but I have heard it is not real safe:
    PHP Code:
        /*
        * Add Magic Quotes Function
        */
        
    function add_magic_quotes($Array) {
            foreach (
    $Array as $K => $V) {
                if (
    is_array($V)) {
                    
    $Array[$K] = add_magic_quotes($V);
                }
                else {
                    
    $Array[$K] = addslashes($V);
                }
            }
            return 
    $Array;
        }
        if (!
    get_magic_quotes_gpc()) {
            
    $_GET add_magic_quotes($_GET);
            
    $_POST add_magic_quotes($_POST);
            
    $_COOKIE add_magic_quotes($_COOKIE);
        } 
    I would like input from everyone about how safe/unsafe this is. If you feel it is unsafe then what would you recommend instead.

    Thanks in advance,
    Matt
    Kayzio - We don't hesitate, we accelerate.

  2. #2
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not so much unsafe as pointless. The problem with magic quotes is not that they are sometimes turned off but they are sometimes turned on.

    I much prefer to get GPC data that hasn't been fiddled with and escape when and if it gets used in SQL. It's common for DB abstraction layers to handle this automatically.

    There are other security vulnerabilities such as XSS that one may forget if they assume magic quotes or equivalent will take care of everything.

    And that's not to mention the performance overhead of adding slashes in PHP to all GPC values whether they are needed or not.

    addslashes also offers less protection than mysql_real_escape_string for example.

  3. #3
    SitePoint Zealot
    Join Date
    Mar 2007
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for the info
    Kayzio - We don't hesitate, we accelerate.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •