mysql_real_escape vs. stripslashes vs. get_magic

veeps · September 13, 2011, 7:27pm

Okay,
I’m going to risk verbal lashings, and go ahead and ask the following question. I have a problem with over-analyzing sometimes, and my brain hurts.

get_magic_quotes_gpc()
I understand that this was created for ease-of-use for safe db entry. I also understand that it escapes certain characters (quotes and such) in order to not affect the SQL syntax.

stripslashes
I understand that this undoes what get_magic_quotes_gpc() may impose upon a $_POST value.

mysql_real_escape_string
Is this like “the real slim shady”, where once you’ve added a “function strip_quotes()”, you can then safely control what you enter into a db?

Would it, therefore, be safe to assume that this is correct:
[php]
//set up function to standby if quotes is on
function noQuotes() {
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value) {
$value = is_array($value) ? array_map(‘stripslashes_deep’, $value) : stripslashes($value);
return $value;
}
$_POST = array_map(‘stripslashes_deep’, $_POST);
$_GET = array_map(‘stripslashes_deep’, $_GET);
$_COOKIE = array_map(‘stripslashes_deep’, $_COOKIE);
}
}
//normalize all input if magic_quotes is on
if (function_exists(‘noQuotes’)) {
noQuotes();
}
//when the time comes, add slashes where necessary
$name = mysql_real_escape_string($_POST[‘name’]);
$email = mysql_real_escape_string($_POST[‘email’]);
[/php]
So, my question is, is the above a safe assumption? Or am I missing something? My understanding is that strip_slashes corrects a universal blip, and that mysql_real_escape is a self-controlled version…

DavidAM · September 13, 2011, 10:32pm

[tt]get_magic_quotes_gpc()[/tt] effectively runs [tt]addslashes()[/tt] on those super global arrays (GET, POST, COOKIE, and FILES).

[tt]stripslashes()[/tt] effectively un-does what [tt]addslashes()[/tt] does. – so it un-does what “magic quotes” does

[tt]mysql_real_escape_string()[/tt] kind-of does what addslashes does, but specifically for the mySql server. You should call this function when adding a string value to an SQL statement:

[php]$sql = “SELECT id FROM users
WHERE login_name = '” . mysql_real_escape_string($_POST[‘loginName’]) . “’”;
[/php]

You should not use mysql_real_escape_string() on data when you are going to send it to the browser (use htmlspecialchars() for that). For this reason, I recommend not carrying the escaped value around in a variable. Instead, only escape it when putting it into an SQL statement.

Note: You do not stripslashes when you read it from the database (unless magic_quotes_runtime is on). The slashes are added by mysql_real_escape_string for the database parser, and are effectively removed when the data is put into the database.

Note: the KEYS to those arrays are also “magic quoted”. However, as long as you do not use any of the special characters in form field names and cookie names and such, this should not be an issue (just something to be aware of).

veeps · September 16, 2011, 11:19pm

THANKS! That was helpful. On top of my own questions, you run across so many variations in a forum, it can be hard to remember what’s pertinent.