Ambiguous phrases in PHP Manual

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Ken in Melbourne Australia
    #1

    Ambiguous phrases in PHP Manual

    The PHP manual defines
    "magic_quotes_r untime

    If enabled, most functions that return data from an external
    source, including databases and text files, will have quotes
    escaped with a backslash "...

    This term 'external source' isn't defined anywhere in the
    manual! Is the data in our $_GET and $_POST variables
    considered an external source? The term 'most functions'
    without further explanation is most ambiguous.

    If magic_quotes_gp c is set to off in the php.ini file, can
    we control whether the $_GET and $_POST data is
    automagically slashed using set_magic_quote s_runtime()?
    or is magic_quotes_ru ntime only used for the data coming
    out of our database or files and a few special uses?

    Thanks for your help in sorting this confusion.

    Ken



    Tags: None
    • Joe Webster
      #2
      Re: Ambiguous phrases in PHP Manual

      "Ken in Melbourne Australia" <ken@mira.net > wrote in message
      news:422c6725$0 $14953$5a62ac22 @per-qv1-newsreader-01.iinet.net.au ...[color=blue]
      > The PHP manual defines
      > "magic_quotes_r untime
      >
      > If enabled, most functions that return data from an external
      > source, including databases and text files, will have quotes
      > escaped with a backslash "...
      >
      > This term 'external source' isn't defined anywhere in the
      > manual! Is the data in our $_GET and $_POST variables
      > considered an external source? The term 'most functions'
      > without further explanation is most ambiguous.
      >
      > If magic_quotes_gp c is set to off in the php.ini file, can
      > we control whether the $_GET and $_POST data is
      > automagically slashed using set_magic_quote s_runtime()?
      > or is magic_quotes_ru ntime only used for the data coming
      > out of our database or files and a few special uses?
      >
      > Thanks for your help in sorting this confusion.
      >
      > Ken[/color]

      If magic_quotes is turned on (the last time I actually used it) I'm pretty
      sure a form that a GET/POST request will be escaped to ease insertion into a
      database for example. Coming out of a database such as mySQL, I don't think
      I've ever seen them escaped.

      IMO, it's bad practice to use/depend on magic_quotes being on.

      HTH
      -Joe


        Comment

        • Brion Vibber
          #3
          Re: Ambiguous phrases in PHP Manual

          > "Ken in Melbourne Australia" <ken@mira.net > wrote:[color=blue][color=green]
          >>The PHP manual defines
          >>"magic_quotes _runtime
          >>
          >>If enabled, most functions that return data from an external
          >>source, including databases and text files, will have quotes
          >>escaped with a backslash "...
          >>
          >>This term 'external source' isn't defined anywhere in the
          >>manual! Is the data in our $_GET and $_POST variables
          >>considered an external source? The term 'most functions'
          >>without further explanation is most ambiguous.[/color][/color]

          Well, $_GET and $_POST are not functions. They are array variables.
          [color=blue][color=green]
          >>If magic_quotes_gp c is set to off in the php.ini file, can
          >>we control whether the $_GET and $_POST data is
          >>automagical ly slashed using set_magic_quote s_runtime()?
          >> or is magic_quotes_ru ntime only used for the data coming
          >>out of our database or files and a few special uses?[/color][/color]

          You could test this question in much less time than it takes to ask a
          question on usenet and wait for a response. :)

          Because magic_quotes_ru ntime corrupts data with slashes coming from
          various _unspecified_ functions, you should probably never, ever use
          magic_quotes_ru ntime without doing a lot of careful testing.

          For the array values, which are already present at the start of the
          script, you must check whether magic_quotes_gp c is on and use
          stripslashes() as appropriate to get the uncorrupted values of the
          submitted data.

          Always perform the appropriate escaping (eg with
          mysql_real_esca pe_string()) before putting data into an SQL statement.

          Joe Webster wrote:[color=blue]
          > If magic_quotes is turned on (the last time I actually used it) I'm pretty
          > sure a form that a GET/POST request will be escaped to ease insertion into a
          > database for example.[/color]

          That's magic_quotes_gp c, which is ON by default...
          [color=blue]
          > Coming out of a database such as mySQL, I don't think
          > I've ever seen them escaped.[/color]

          ....that's magic_quotes_ru ntime, which is OFF by default. These are
          separate options.
          [color=blue]
          > IMO, it's bad practice to use/depend on magic_quotes being on.[/color]

          <nod>

          -- brion vibber (brion @ pobox.com)

            Comment

            • Joe Webster
              #4
              Re: Ambiguous phrases in PHP Manual

              "Brion Vibber" <brion@pobox.co m> wrote in message
              news:39aca9F61b ptgU1@individua l.net...[color=blue][color=green]
              > > "Ken in Melbourne Australia" <ken@mira.net > wrote:[color=darkred]
              > >>The PHP manual defines
              > >>"magic_quotes _runtime
              > >>
              > >>If enabled, most functions that return data from an external
              > >>source, including databases and text files, will have quotes
              > >>escaped with a backslash "...
              > >>
              > >>This term 'external source' isn't defined anywhere in the
              > >>manual! Is the data in our $_GET and $_POST variables
              > >>considered an external source? The term 'most functions'
              > >>without further explanation is most ambiguous.[/color][/color]
              >
              > Well, $_GET and $_POST are not functions. They are array variables.
              >[color=green][color=darkred]
              > >>If magic_quotes_gp c is set to off in the php.ini file, can
              > >>we control whether the $_GET and $_POST data is
              > >>automagical ly slashed using set_magic_quote s_runtime()?
              > >> or is magic_quotes_ru ntime only used for the data coming
              > >>out of our database or files and a few special uses?[/color][/color]
              >
              > You could test this question in much less time than it takes to ask a
              > question on usenet and wait for a response. :)
              >
              > Because magic_quotes_ru ntime corrupts data with slashes coming from
              > various _unspecified_ functions, you should probably never, ever use
              > magic_quotes_ru ntime without doing a lot of careful testing.
              >
              > For the array values, which are already present at the start of the
              > script, you must check whether magic_quotes_gp c is on and use
              > stripslashes() as appropriate to get the uncorrupted values of the
              > submitted data.
              >
              > Always perform the appropriate escaping (eg with
              > mysql_real_esca pe_string()) before putting data into an SQL statement.
              >
              > Joe Webster wrote:[color=green]
              > > If magic_quotes is turned on (the last time I actually used it) I'm[/color][/color]
              pretty[color=blue][color=green]
              > > sure a form that a GET/POST request will be escaped to ease insertion[/color][/color]
              into a[color=blue][color=green]
              > > database for example.[/color]
              >
              > That's magic_quotes_gp c, which is ON by default...
              >[color=green]
              > > Coming out of a database such as mySQL, I don't think
              > > I've ever seen them escaped.[/color]
              >
              > ...that's magic_quotes_ru ntime, which is OFF by default. These are
              > separate options.
              >[color=green]
              > > IMO, it's bad practice to use/depend on magic_quotes being on.[/color]
              >
              > <nod>
              >
              > -- brion vibber (brion @ pobox.com)[/color]
              You know, it's usually at the end of my day when I'm tired when I start
              getting to the news group -- maybe I should keep my fingers shut :) Anyway,
              Brion is right... two different options.

              http://us4.php.net/magic_quotes


              I feel sorry for whoever came up with magic_quotes*, realizing that we all
              hate him for the confusion :)

              -Joe


                Comment

                Previous template Next
                Working...