Plesk Question posted in
The official documentation for Plesk Obsidian can be found here.

When I escape all the input, sometimes It leaves slashes () in the string and inserts it to database. Why does it happen and how can I solve this? – Plesk

I have found stripslashes function but I would rather find where I am adding more slashes than I should. My functions use mysql_real_escape_string once for each variable and I am querying database using “insert into foo(bar,bar) values($baz,$baz)”
maybe this is the problem.

phpinfo gives 

 magic_quotes_gpc           On  On 
 magic_quotes_runtime   Off Off
 magic_quotes_sybase            Off Off

static function insert($replyto,$memberid,$postid,$comment)
{
    $message=array();
    $lenmax=1000;
    $lenmin=5;

    $toolong="comment is too long.";
    $tooshort="comment is too short.";
    $notarget="replied comment is deleted";
    $nomember="you are not a member";
    $notpost="commented post is deleted";

    switch(true)
    {
    case strlen($comment)<$lenmin: $message[]= $tooshort; break;
    case strlen($comment)>$lenmax: $message[]=$toolong; break; 
    case $replyto!=NULL && !commentexists($replyto): $message[]=$notarget; break;
    case !memberexists($memberid): $message[]=$nomember; break;
    case !postexists($postid): $message[]=$nopost; break;
    case count($message)>0:return $message; break;
    }

    $replyto=mysql_real_escape_string($replyto);
    $memberid=mysql_real_escape_string($memberid);
    $postid=mysql_real_escape_string($postid);
    $comment=mysql_real_escape_string($comment);
    if($replyto==NULL)
    mysql_query("insert into fe_comment(memberid,postid,comment) values($memberid,$postid,'$comment')");
    else
    mysql_query("insert into fe_comment(replyto,memberid,postid,comment) values($replyto,$memberid,$postid,'$comment')");
}

my hosting firm has magic_quotes_gpc on and I don’t have access to php.ini file I am using plesk panel to configure things.

php documentation says

An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it’s on by default), and you aren’t inserting this data into a place (such as a database) that requires escaping. For example, if you’re simply outputting data straight from an HTML form.

My insert queries are inserted with slashes in the database and My php version is 5.2.3

documentation also says

If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

So I am checking if I escaped values twice I am not able to find anywhere I escaped the values twice.
now I am using

$comment=mysql_real_escape_string(stripslashes($comment));

but I think it shouldn’t become a standard in my codes because it doesn’t look like “the right way” even though it saves the day.

magic_quotes_gpc automaticly escapes all and also is not reliable because it is deprecated.

so I have created a .htaccess file and copied it into all directories I have an index.php file, .htaccess files have this text only

php_flag magic_quotes_gpc Off

I ran phpinfo and it still gives

magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

now I need a way to disable the magic quotes gpc and I have no access to the php.ini file. I am looking for the ways to edit .htaccess files now.

Tags:

2

Answers


  1. 0

    Various ways of disabling magic quotes are provided in the php documentation. Failing that it provides a way of removing the slashes recursively from all of your request variables.

    Login or Signup to reply.
  2. 0

    I think it shouldn’t become a standard in my codes because it doesn’t look like “the right way”

    You are right.
    magic quotes stuff has nothing to do with sql stuff and shouldn’t be connected to it.
    Because magic quotes is a site-wide problem and sql escaping is sql only related problem.

    So, they need different treatment an should be never used in conjunction.

    You have to get rid of magic quotes unconditionally, because it spoiling not only SQL stuff but every data manipulation of your site.

    So, it would be wise to put some stripslashes code in whatever bootstrap file to be run on every call of the script. The code you can find in numerous implementations of such a code, just google for the ‘stripslashes_deep’ function.

    It would be wise to have this code always run (of course under the condition checking get_magic_quotes_gpc()) despite of the actual state of magic quotes, just for sake of compatibility.

    But there is another possibility to turn them off: try to create a php.ini file in the root of your application.

    However, there is a grave mistake in your code. In fact, it doesn’t protect anything.
    You are escaping $memberid and $postid but don’t quote them!. Thus, there is no protection at all. Just because escaping works only when used with quoting.

    Please, remember:

    Escaping is not a synonym for security!

    Escaping alone can help nothing. There is a whole set of rules to be followed.

    I wrote a decent explanation recently, so, I wouldn’t repeat myself: Replacing mysql_* functions with PDO and prepared statements

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search