magic-quotes

Our site is using PHP Version 5.2.14 Lately our hoster probably changed magic-quote defenition, and I came up with the suggested solution [code bellow] Is this solution OK for PHP Version 5.2.14 ? What should I change when we upgrade to PHP version 6 ? // Code: function fHandleQuotes($s) { if (get_magic_quotes_gpc()) return ($s); return (addslashes($s)); } . . . // Usage: . . . $query = "UPDATE myTable SET myField = '" . fHandleQuotes($_POST['fieldName']) . "'"; . . . In PHP 6 magic_quotes will be removed! Now you can use this function. if( ( function_exists("get_magic_quotes_gpc") && get

One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection. Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form: "Hello", said Jimmy O'Toole. If you print/echo the input on the PHP page that receives this POST data, it comes out as: \"Hello\", said Jimmy O\'Toole. This is the point where it gets confusing. If I put this input string into (My)SQL and execute it, it'll go into the database fine (since quotes are escaped), but would that stop SQL injection? If I

I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime ? From php.ini: Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. Is is something I should check if ON and turn OFF with: set_magic_quotes_runtime(false); Is it often ON by default? I know it's deprecated in 5.3.0 and removed in 6.0.0 but since my script support 5.1.0+ I would like to know how to handle this in "legacy" PHP (if it's relevant). Edit: To make things clear I want to exit('Turn OFF Magic Quotes'); when Magic quotes

What is the file? I have php.ini and php.ini-dist on my computer. php.ini-dist is the sample config file that comes with PHP, php.ini is the live config so you will need to set in this file magic_quotes_gpc = off magic_quotes_runtime = off magic_quotes_sybase = off 来源： https://stackoverflow.com/questions/1748001/how-to-turn-off-magic-quotes-in-php-configuration-file-i-am-using-xampp

My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature , as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP. <?php echo $_GET["escaped"]; ?> <form method="get"> <input type="text" name="escaped" /> </form> This outputs, if I enter for instance escape 'this test' , escape \'this test\' . Same goes if I use POST instead of GET . Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?

I'm writing a set of PHP scripts that'll be run in some different setups, some of them shared hosting with magic quotes on (the horror). Without the ability to control PHP or Apache configuration, can I do anything in my scripts to disable PHP quotes at runtime? It'd be better if the code didn't assume magic quotes are on, so that I can use the same scripts on different hosts that might or might not have magic quotes. Only magic_quoted_runtime can be disabled at runtime. But magic_quotes_gpc can’t be disabled at runtime ( PHP_INI_ALL changable until PHP 4.2.3, since then PHP_INI_PERDIR ); you