[WEB SECURITY] magic_quotes

Dave King davefd at davewking.com
Tue Jun 21 18:27:49 EDT 2005

I'm personally not a big fan of magic_quotes.  I think it makes the code 
less portable since if it's moved to a server with that feature off by 
mistake then you're toast.  Also I think it's just a good idea to code 
it with correct checking in the first place and you'll be much better 
off in the end.

First of all you should pretty much always check your all outside 
variables before using them.  for example in your code you have 
$DATA->id which likely is a number so you should use is_numeric to make 
sure it's a number.  If it's not a number you can use preg_match and a 
regular expression from regexlib.com to check just about anything.  
Owasp.org also has a php filter library that can help sanitize input 
http://www.owasp.org/software/labs/phpfilters.html .

After the input is checked then you should use 
mysql_real_escape_string() to fix the variable.  So your query would become

$q = mysql_query ("SELECT * FROM whatever WHERE id = '" . 
mysql_real_escape_string($DATA->id) . "'");

or if the id is a number you can drop the tick and do
$q = mysql_query ("SELECT * FROM whatever WHERE id = " . 


Pablo Fernández wrote:

>Hi everybody
>I been coding for the last couple of days with PHP+MySQL and I've been
>relaying A LOT in magic_quotes. I am wondering if it's (at least for the
>moment) a safe thing to do. For example, consider the following code
>$GDATA = (object) $_GET;
>$PDATA = (object) $_POST;
>if ($GDATA) $DATA = $GDATA;
>else        $DATA = $PDATA;
>$q = mysql_query ("SELECT * FROM whatever WHERE id = '$DATA->id'");
>How safe is this?
>I would appreciate hints & thoughts (TM)
>Pablo Fernandez
>The Web Security Mailing List
>The Web Security Mailing List Archives

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list