I hear many people talking about using getmagicquotes when working with entering text to a field for uploading to the database. I understand how it can break the sql code but for my 1st cms i simpliy put addslashes on the varialbe and it works.
$song_title = addslashes($_POST[‘song’]);
will this ever fail me and if so where? is it to do with different types of servers which are being run?
The problem is that with PHP 5.3, magic quotes are deprecated, and they will be removed completely with version 6.0. So your code needs to either check whether they are being used and do something about it, or preferably, to completely disable magic quotes at the server so that you don’t need to do anything special relating to them.
There are several security reasons why addslashes was replaced with mysql_escape_string, and then further with mysql_real_escape_string.
addslashes fails when it comes to escaping multi-byte characters. How?
Using ¿’ in the submitted data causes addslashes to turn it in to ¿\’
That’s as expected.
What is not expected is that ¿\ is 0x5CBF which PHP see as a single character and boom goes your security because the single quote got through.
addslashes worked because the data you entered was pretty straight forward. In practice there is no need to consider it over mysql_real_escape_string (meaning forget addslashes, use mres)
I also noticed that you’re not doing anything with $_POST[‘cid’] and price, add.
You cannot assume that because a value came from a <select> or radio, or checkbox that it’s value is safe. $_POST can contain any value the user wants, so they all need to be validated.
Typecast to int or float for those types of values
$price = (float)$_POST['price'];
When there is a predefined set of options, make sure the submitted value is one: