I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime? From php.ini:
Magic quotes for runtime-generated
data, e.g. data from SQL, from exec(),
etc.
Is is something I should check if ON and turn OFF with:
set_magic_quotes_runtime(false);
Is it often ON by default? I know it's deprecated in 5.3.0 and removed in 6.0.0 but since my script support 5.1.0+ I would like to know how to handle this in "legacy" PHP (if it's relevant).
Edit: To make things clear I want to exit('Turn OFF Magic Quotes'); when Magic quotes are ON. I'm not relying on them!
If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime
If magic quotes are ON, php will automatically escape quotes coming in POST or GET variables and automatically un-escape them when pulling data out of a database for example.
If you use things like addslashes(), mysql_escape_string() or mysql_real_escape_string() with magic quotes on, you'll end up double-escaping quotes.
The reason it's evil is the same reason addslashes() and mysql_escape_string() are evil - because it doesn't capture every possible method of putting a quote in a string. It gives you a false sense of security in thinking that you don't have to worry about escaping quotes anymore when in reality you still do.
Also, as if escaping strings wasn't enough of a PITA already, now you have to check if magic quotes are on or off before you try to escape or un-escape a string to avoid double escaping.
You could use ini_get to check for it's value, like this:
ini_get('magic_quotes_runtime');
Also you should wrap calls to set_magic_quotes_runtime/get_magic_quotes_runtime in function_exists calls, like that:
if (function_exists('set_magic_quotes_runtime')) {
set_magic_quotes_runtime(true/false);
}
But of course, one should not rely on magic quotes at all and should have them disabled if possible. Se this link for a coule of reasons why: http://www.php.net/manual/en/security.magicquotes.whynot.php
Related
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP, why do you escape my quotes?
If I input the text don't for example in an input field and then try to display it or save it to MySQL with PHP mysqli Prepared Statements I get an extra backslash before the single quote.
$name = $_POST['name'];
echo "name=($name)";
This outputs:
don\'t
and I also gets this extra backslash stored in MySQL.
How could I avoid this and still be able to input backslashes?
Regards,
Magnus Strand
usage of stripslashes,
echo stripslashes("Who\'s Kai Jim?"); //Who's Kai Jim?
open your php.ini file and go to line 460 (almost) and turn off magic quotes. like
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
Keeping Magic Quotes Off is a good technique to start with your application Security. Magic quotes are inherently broken. They were meant to sanitize input to the PHP script, but without knowing how that input will be used it's impossible to sanitize correctly.
The PHP man page on magic quotes agrees:
"This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed."
I use mysql_real_escape_string() before interting information in the database, but when I want to show the data from the database, ' is replaced with \'.
So how can I get rid of that backslash? Is there a function that reverses mysql_real_escape_string()?
There is NO [built-in] function to reverse mysql_real_escape_string.
If you have only quotes but not linebreaks escaped - it is not mysql_real_escape_string to blame.
Instead of stripping, you apparently have to make your code not to add them.
There are 2 possible reasons for the slashes to appear:
magic_quotes_gpc is turned on. Just turn it off.
some extra-wise-data-sanitize function in charge. Get rid of it.
Just to make sure: not whatever "information" but only strings (query parts enclosed in quotes) have to be escaped. For the any other query part escaping is useless and you have to find another way to protect them from SQL injection
You should off the magic_quotes although mysql_real_escape_string does not add any backslash in the database that it is used just to escape the string.
However you can use the stripslashes() to remove them but the more elegant solution is to off the magic_quotes
If I have a form with a value of just "" and I submit it and echo it with PHP, I get \"\"
How can I get around this?
This is because magic_quotes_gpc is on. This is a bad 'feature', designed to automatically escape incoming data for those developers who can't learn to escape SQL input.
You should disable this as soon as possible.
ini_set('magic_quotes_gpc', 'off');
You should switch off magic_quotes_gpc, which is a broken feature (see Delan's answer, I completely agree).
But wait! You must sanitize the user input from $_REQUEST, $_POST and $_GET and $_COOKIE, if you want to use it for database or display at your page! Otherwise your code would be prone to various types of attacks!
There is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about.
When quoting, you always quote text for some particular output, like:
string value for mysql query
like expression for mysql query
html code
json
mysql regular expression
php regular expression
For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (always assure it is switched off!!!).
So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)
mysql_real_escape_string($str)
mysql_real_escape_string(addcslashes($str, "%_"))
htmlspecialchars($str)
json_encode() - only for utf8! I use my function for iso-8859-2
mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!
preg_quote()
Try stripslashes().
stripslashes() is the opposite of addslashes(), and removes escape slashes from strings.
You can use stripslashes() function.
http://php.net/manual/en/function.stripslashes.php
This behavior is caused by the "Magic Quotes" PHP-Feature. http://php.net/manual/en/security.magicquotes.php
You can use something like this to make it work whether magic quotes are enabled or not:
if (get_magic_quotes_gpc()) {
$data = stripslashes($_POST['data']);
}
else {
$data = $_POST['data'];
}
I always use this method as it grabs the value as a string and therefore there will be no slashes:
$variable = mysql_escape_string($_REQUEST['name_input']);
I'm doing this to all strings before inserting them:
mysql_real_escape_string($_POST['position']);
How do I remove the: \ after retriving them?
So I don't end up with: \"Piza\"
Also is this enough security or should I do something else?
Thanks
I would suggest you call $_POST['position'] directly (don't call mysql_real_escape_string on it) to get the non-escaped version.
Incidentally your comment about security suggests a bit of trouble understanding things.
One way of handling strings is to handle the escaped versions, which leads to one kind of difficulty, while another is to handle another and escape strings just before embedding, which leads to another kind of difficulty. I much prefer the latter.
use stripslashes() to get rid of the escape character.
Escaping is great. In case the value is going to be integer , I would suggest you do it like:
$value = (int) $_POST['some_int_field'];
This would make sure you always end up with an integer value.
It could be because magic quotes are enabled, so to make it versatile, use this:
if (get_magic_quotes_gpc()) { // Check if magic quotes are enabled
$position = stripslashes($_POST['position']);
} else {
$position = mysql_real_escape_string($_POST['position']);
}
mysql_real_escape_string() does add \s in your SQL strings but they should not be making it into the database as they are only there for the purpose of string parsing.
If you are seeing \s in you database then something else is escaping your stings before you call mysql_real_escape_string(). Check to make sure that magic_quotes_gpc isn't turned on.
I got this from for a login form tutorial:
function sanitize($securitystring) {
$securitystring = #trim($str);
if(get_magic_quotes_gpc()) {
$securitystring = stripslashes($str);
}
return mysql_real_escape_string($securitystring);
}
Could some one explain exactly what this does? I know that the 'clean' var is called up afterwards to sanitize the fields; I.e. $email = sanitize($_POST['email']);
Basically, if you have magic quotes switched on, special characters in POST/SESSION data will automatically be escaped (same as applying addslashes() to the string). The MySQL escape functions are better than PHP's addslashes() (although I can't remember the exact reasons why).
What your code does is check if the php.ini file has magic quotes turned on, if so the slashes are stripped from the data and then it is re-sanitised using the MySQL function. If magic quotes is not on, there is no need to strip slashes so the data is just sanitised with the MySQL function and returned.
First of all, this code is wrong.
It has wrong meaning and wrong name.
No SQL data preparation code does any cleaning or sanitization.
It does merely escaping. And this escaping must be unconditional.
and escaping shouldn't be mixed with anything else.
So, it must be three separated functions, not one.
Getting rid of magic quotes. Must be done separately at the data input.
trim if you wish. It's just text beautifier, no critical function it does.
mysql_real_escape_string() to prepare data for the SQL query.
So, the only mysql related function here is mysql_real_escape_string(). Though it makes no data "clean", but merely escape delimiters. Therefore, this function must be used only with data what considered as a string and enclosed in quotes. So, this is a good example:
$num=6;
$string='name';
$num=mysql_real_escape_string($num);
$string=mysql_real_escape_string($string);
$query="SELECT * FROM table WHERE name='$name' AND num='$num'";
while this example is wrong:
$num=6;
$string='name';
$num=mysql_real_escape_string($num);
$string=mysql_real_escape_string($string);
$query2="SELECT * FROM table WHERE name='$name' AND num=$num";
Even though $query2 would not throw a syntax error, this is wrong data preparation and mysql_real_escape_string would help nothing here. So, this function can be used only to escape data that treated as a string. though it can be done to any data type, there is some exceptions, such as LIMIT parameters, which cannot be treat as a strings.
trim() gets rid of all whitespace, and if magic quotes is on, the backslash is removed from any escaped quotes with stripslashes(). mysql_real_escape_string() readies a string to be used in a mysql query safely.
here are the docs for the functions used: http://php.net/manual/en/function.trim.php, http://php.net/manual/en/function.get-magic-quotes-gpc.php, http://php.net/manual/en/function.stripslashes.php, http://php.net/manual/en/function.mysql-real-escape-string.php
mysql_real_escape_string is used to escape characters in the string to add backslashes to characters such as ', which prevents an attacker from embedding additional SQL statements into the string. If the string is not escaped, additional SQL can be appended. For example, something along the lines of this might be executed:
SELECT * FROM tbl WHERE col = 'test' ; DELETE * FROM tbl ; SELECT 'owned'
magic_quotes does escaping of its own, although if I remember correctly its use is now discouraged. Besides, the MySQL function will do all the escaping you need to prevent SQL injection attacks.
Some (old) servers have magic_quotes enabled. That means that all external input is altered to (supposedly) escape it in order to be injected in a MySQL query. So O'Brian becomes O\'Brian. This was an early design decision by the PHP team that proved wrong:
You don't always need to inject input into database queries
Not all DB engines use back slashes as escape char
Escaping single quotes with backs slashes is not enough, even for MySQL
Your server security relies on a PHP setting that can be disabled
So it's way better to code without magic_quotes. The problem comes with redistributable code: you cannot know if the server will have magic_quotes enabled or disabled. So you can use get_magic_quotes_gpc() to detect it they're on and, if so, use stripslashes() to (try to) recover the original input.