There are several ways to sanitize form input for database entry. PHP has its magic_quotes_gpc option that, when on, effectively performs addslashes() on GET, POST, and COOKIE data. That is, single and double quotes, backslashes, and NULLs are automatically escaped with backslashes. magic_quotes_gpc is on by default, so be careful not to addslashes() or you'll get extra backslashes on everything. A good way of checking for whether or not magic_quotes_gpc is on is by using get_magic_quotes_gpc().
magic_quotes_runtime is another variable that, when on, ensures that most functions that return data from external sources, including databases and text files, will have quotes escaped with a backslash. These functions include MSSQL and MySQLi functions, but not MySQL.
The third magic_quotes variable is magic_quotes_sybase. This works with magic_quotes_gpc and magic_quotes_runtime. If on a single-quote is escaped with a single-quote instead of a backslash, but only if magic_quotes_gpc or magic_quotes_runtime are enabled.
Now, after telling you all this, I'll say very clearly: do not use magic_quotes. The methodology behind using them is broken and PHP has reflected this in deprecating them for PHP 6. There is no point in escaping input, especially by default, when the data target isn't known.
The better way to handle input is by using the correct function for wherever you want to use the data. So use mysql_real_escape_string() for MySQL input, for example, urlencode() if you mean to use the data as a URL, htmlentities() if it'll be output on an HTML page, and so on. And remember to check if magic_quotes_gpc was on and to stripslashes() if it was. This will return the data to how the user input it, so it'll be potentially dangerous until handled another way, a more appropriate way.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment