Bob
Jedi Master
- Joined
- Apr 8, 2002
- Messages
- 3,102
- Reaction score
- 29
I am writing something that is going to be used for public consumption. I will have no idea whether or not magic_quotes are enabled on people's server.
If I enter data in the form that has a mySQL special character, it will some across as escaped if magic quotes are on.
Example:
Data submitted: Bob's
Is posted to the PHP script as: Bob\'s
If Magic Quotes are off, the data will not be escaped:
Data submitted: Bob's
Is posted to the PHP script as: Bob's
I want to get around having to worry about whether magic quotes are enabled on the end-users server. I came up with this clever idea:
$sql_data = addslashes(stripslashes($_POST[form_data]));
If magic quotes are enabled, then the data will be un-escaped, and then escaped again - and I do not have to worry about whether or not magic quotes are enabled.
If magic quotes are disabled, then the data will not come across as escaped, so nothing will happen with the stripslashes() function, then the data will be escaped with the addslashes() function.
PERFECT! I covered both scenarios and don't have to worry about magic quotes at all.
Well, I start thinking about possible scenarios and this one comes to mind:
What if data are entered that has a "\" as part of the form field?
For example, lets say I want "Bob\'s" (exactly as typed with the backslash) written to the database.
If magic quotes are on, it is not a big deal. The field will be submitted as an escaped datafield, then re-escaped. No problem.
However - here is the question. If magic quotes are DISABLED, and the form field is submitted as "Bob\'s", and I call the command above:
$sql_data = addslashes(stripslashes($_POST[form_data]));
Will the inner stripslashes() think the data is already escaped and hence remove the "\" from the data? If so, the data will then be written to the database without the backslash.
Now - for all you PHP wizards, I know I can write a function with the ini_get('magic_quotes_gpc') and do whatever I need to do based on the result of that. However, the question I pose above is the interesting thing at hand.
-Bob
If I enter data in the form that has a mySQL special character, it will some across as escaped if magic quotes are on.
Example:
Data submitted: Bob's
Is posted to the PHP script as: Bob\'s
If Magic Quotes are off, the data will not be escaped:
Data submitted: Bob's
Is posted to the PHP script as: Bob's
I want to get around having to worry about whether magic quotes are enabled on the end-users server. I came up with this clever idea:
$sql_data = addslashes(stripslashes($_POST[form_data]));
If magic quotes are enabled, then the data will be un-escaped, and then escaped again - and I do not have to worry about whether or not magic quotes are enabled.
If magic quotes are disabled, then the data will not come across as escaped, so nothing will happen with the stripslashes() function, then the data will be escaped with the addslashes() function.
PERFECT! I covered both scenarios and don't have to worry about magic quotes at all.
Well, I start thinking about possible scenarios and this one comes to mind:
What if data are entered that has a "\" as part of the form field?
For example, lets say I want "Bob\'s" (exactly as typed with the backslash) written to the database.
If magic quotes are on, it is not a big deal. The field will be submitted as an escaped datafield, then re-escaped. No problem.
However - here is the question. If magic quotes are DISABLED, and the form field is submitted as "Bob\'s", and I call the command above:
$sql_data = addslashes(stripslashes($_POST[form_data]));
Will the inner stripslashes() think the data is already escaped and hence remove the "\" from the data? If so, the data will then be written to the database without the backslash.
Now - for all you PHP wizards, I know I can write a function with the ini_get('magic_quotes_gpc') and do whatever I need to do based on the result of that. However, the question I pose above is the interesting thing at hand.
-Bob
