PHP Magic Quotes

There is a feature built into PHP that can become rather confusing called magic quotes.� The following blog entry will try to assist you with dealing with these magic quotes without loosing your hair in the process.

The Problem
Handling form data in PHP can become very hairy. Originally, PHP was simple. It was intended to take data submitted from a form and insert it into a MySQL database. Many basic features were added early on to make this as easy as possible such as adding special slashes (magic quotes) to strings and making the values readily available by making them globally registered. These features added security problems and complexity once PHP grew beyond the realm of MySQL databases.

The Solution
When writing PHP code that can be used on a variety of different web servers, it is important to simplify the code where possible. To do this, I created the following functions for handling Post, Get, and Cookie variables.

These functions may help prevent malicious usage of your scripts.� If anything, the techniques below will help you handle data from the user.

[PHP]
function PostVar($Name, $Default = false, $RemoveSlashes = true )
{
if( isset($_POST[$Name]) )
{
if( get_magic_quotes_gpc() && $RemoveSlashes )
return stripslashes($_POST[$Name]);
return $_POST[$Name];
}
return $Default;
}

function GetVar($Name, $Default = false, $RemoveSlashes = true )
{
if( isset($_GET[$Name]) )
{
if( get_magic_quotes_gpc() && $RemoveSlashes )
return stripslashes($_GET[$Name]);
return $_GET[$Name];
}
return $Default;
}

function CookietVar($Name, $Default = false, $RemoveSlashes = true )
{
if( isset($_COOKIE[$Name]) )
{
if( get_magic_quotes_gpc() && $RemoveSlashes )
return stripslashes($_COOKIE[$Name]);
return $_COOKIE[$Name];
}
return $Default;
}

function PostGetVar($Name, $Default = false, $RemoveSlashes = true )
{
if( isset($_POST[$Name]) )
{
if( get_magic_quotes_gpc() && $RemoveSlashes )
return stripslashes($_POST[$Name]);
return $_POST[$Name];
}
if( isset($_GET[$Name]) )
{
if( get_magic_quotes_gpc() && $RemoveSlashes )
return stripslashes($_GET[$Name]);
return $_GET[$Name];
}
return $Default;
}

$SearchVar = PostVar(‘SearchText’, ”, false);
$Password = PostVar(‘Password’, false, true);
$Email = PostVar(‘Email’, ‘default@host.com’, true);
$query = ‘SELECT password, email FROM accounts WHERE name LIKE ‘.� $SearchVar;
$result = mysql_query($query, GetMyConnection() );
$Row = mysql_fetch_array($result);
if( $Row['password'] == $Password )
{
mail($Email, ‘Latest Scores’, ‘You latest score average is ‘. $Row['average_score']);
echo “Successfully sent latest scores to $Email.”;
}
else
{
echo “Error sending latest scores to $Email.”;
}
[/PHP]
For the script example above presume the php.ini on this server has the get_magic_quotes_gpc = On.
As you can see, the submitted field ‘SearchText’ did not have the magic quotes removed since we are using it in a MySQL query. Fields ‘Password’ and ‘Email’ do have the slashes removed from the values since we do not want any slashes screwing up our script later on. The default values are used if the fields were not posted. Note the value for the query is an empty string which will not give us negative effects when used in a query. The default value for the password is false, in this case we can presume a password from the database will always have a value there for it prevents accidental cases that may arise. The default value for the Email variable allows us to send the E-mail to a valid address in the event no Email address was submitted.

Share and Enjoy:
  • Print this article!
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
Blubrry player!