9

i was learning this PHP code from a tutorial to upload files

<form method="post" enctype="multipart/form-data">
  <input name="userfile" type="file" id="userfile">  
</form>

<?php
  if (isset($_POST['upload']) && $_FILES['userfile']['size'] > 0) {
    $fileName = $_FILES['userfile']['name'];
    $tmpName  = $_FILES['userfile']['tmp_name'];
    $fileSize = $_FILES['userfile']['size'];
    $fileType = $_FILES['userfile']['type'];

    $fp      = fopen($tmpName, 'r');
    $content = fread($fp, filesize($tmpName));
    $content = addslashes($content);
    fclose($fp);

   if (!get_magic_quotes_gpc()) {
     $fileName = addslashes($fileName);
   }

   include 'library/config.php';
   include 'library/opendb.php';

   $query = "INSERT INTO upload (name, size, type, content ) ".
     "VALUES ('$fileName', '$fileSize', '$fileType', '$content')";

   mysql_query($query) or die('Error, query failed');
   include 'library/closedb.php';

now i understand every function and everything by using php documentation

EXCEPT

get_magic_quotes_gpc()
  • WHAT is it? What it does?
  • Is it eseential? If yes, Is there a replacement for this?
  • the PHP Manual said "This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.". Elaborate please?
  • Isn't there a way to upload files to (web)server harDisk and provide links to them..
apaderno
  • 28,547
  • 16
  • 75
  • 90
Moon
  • 19,518
  • 56
  • 138
  • 200
  • 1
    This code is vulnerable to sql injection regardless of magic_quotes, you should give it a [security] tag if you want a better answer. Whoever wrote this doesn't understand php or security. – rook Aug 18 '10 at 02:39
  • well if forbid input of '(quote) character in my input(textbox) then i will secure SQL injection wouldn't I... – Moon Aug 19 '10 at 08:05

2 Answers2

29

get_magic_quotes_gpc() is a function that checks the configuration (php.ini) and returns 0 if magic_quotes_gpc is off (otherwise it returns 1).

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NULs are escaped with a backslash automatically. This is to prevent all sorts of injection security issues.

In your case the code checks if the setting is off and adds slashes to properly escape the content to prevent SQL injection.

Like you said - this feature is deprecated and will certainly be removed in the future (in fact they removed it in PHP6).

The alternative is to escape the data at runtime as needed

DmitryK
  • 5,542
  • 1
  • 22
  • 32
  • 2
    awesome.... couldn't have given a better explanation... man can you rewrite the PHP Manual for the world to understand – Moon Aug 18 '10 at 01:18
  • 2
    The only additions I'd make is to say that it tries to prevent injection security issues. It doesn't do a very good job (and hence the reason for functions like `mysql_real_escape_string`). And secondly, never use it (`magic_quotes_gpc`). If the function returns true (it's enabled), run `stripslashes` on all input. Then either bind your params via a prepared query, or use `mysql_real_escape_string/mysqli::real_escape_string`. **Do not rely upon `magic_quotes_gpc`**... There's a reason it's deprecated... (and your code posted in the question is vulnerable because of that)... – ircmaxell Aug 18 '10 at 02:21
0

after reading your post and all the answers and comments I think this function may help,

function mysql_prep( $value ) {
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
    if( $new_enough_php ) { // PHP v4.3.0 or higher
        // undo any magic quote effects so mysql_real_escape_string can do the work
        if( $magic_quotes_active ) { $value = stripslashes( $value ); }
        $value = mysql_real_escape_string( $value );
    } else { // before PHP v4.3.0
        // if magic quotes aren't already on then add slashes manually
        if( !$magic_quotes_active ) { $value = addslashes( $value ); }
        // if magic quotes are active, then the slashes already exist
    }
    return $value;
}
Michael Baxter
  • 3
  • 6