1

I've inherited a php4 site that needs to run on my PHP5 Server, I've solved most of the issues but can't figure out what the author was trying to do here. Well, to be precise, he was tring to quote the submitted text but I'm not sure how this function is supposed to work and how I should do it in PHP5?

# Function to safely add slashes when magic quotes is switched off

function safe_slash($string)
{
  if (!get_magic_quotes_gpc())
  {
    $string = addslashes($string);
  }

  return $string;
}
Charles
  • 50,943
  • 13
  • 104
  • 142
deep64blue
  • 33
  • 3
  • The code is adding slashes to `$string` if `get_magic_quotes_gpc` is off .... the same code will run in PHP5 ... [read addSlashes()](http://www.php.net/manual/en/function.addslashes.php) – Manse Feb 10 '12 at 10:00
  • Means you have some issue with this code. **What is it**? – Your Common Sense Feb 10 '12 at 10:08
  • Sorry the problem is that slashes aren't getting added to the string so if I have a name like O'Leary the ' isn't escaped and the query fails. – deep64blue Feb 10 '12 at 10:22
  • Why are you talking about query? have you tested this function itself? `var_dump(safe_slash("O'Leary"));` what does say? – Your Common Sense Feb 10 '12 at 11:16
  • string(8) "O\'Leary" Interesting - I think perhaps this bit is working but somewhere it is not being called, will go nad have another look. – deep64blue Feb 10 '12 at 12:30
  • search and reaplace `safe_slash(` with `unsafe_slash(` so the function name is not that misleading. Also place a warning note inside the functions docblock and explain why the function is unsafe. – hakre Jul 12 '12 at 16:13

2 Answers2

2

By default PHP4 has an option in PHP.ini turned on called magic_quotes_gpc, it will addslashes to all $_POST/$_GET variables.

That code simply checks if the value magic_quotes_gpc is turned off, if it is it will addslashes to the $string passed in.

It should work in PHP4 and PHP5 (in PHP6 magic_quotes_gpc is going to be removed I believe). It's not recommended to rely on though, it was initially for 'protecting' against SQL injection but it has been found to be inadequate.

pjumble
  • 16,880
  • 6
  • 43
  • 51
  • Thanks - what is the recommended way now? mysqli_real_escape_string? – deep64blue Feb 10 '12 at 12:32
  • There are a few recommended ways, `mysqli_real_escape_string` is certainly an improvement over relying on magic quotes. An even bigger improvement would be to use prepared statements and parameterized queries (e.g. with [PDO](http://www.php.net/manual/en/class.pdo.php)) so you don't have to worry about escaping the strings yourself. – pjumble Feb 10 '12 at 13:12
-1
$_POST = self::addSlashesRecursive($_POST);
$_GET = self::addSlashesRecursive($_GET);
$_COOKIE = self::addSlashesRecursive($_COOKIE);

function addSlashesRecursive($s)
{
    if (get_magic_quotes_gpc()) {
        return $s;
    }
    if (is_string($s)) {
        return addslashes($s);
    } else if (is_array($s)) {
        return array_map(array('addSlashesRecursive'), $s);
    }
    return $s;
}

But for my mind it will be better to change your code. In PHP6 magic_quotes will be removed at all.

Alex Pliutau
  • 21,392
  • 27
  • 113
  • 143