Asked  7 Months ago    Answers:  5   Viewed   32 times

According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data:

if (!get_magic_quotes_gpc()) {
    $lastname = addslashes($_POST['lastname']);
} else {
    $lastname = $_POST['lastname'];
}

I have other validation checks that I will be performing, but how secure is the above strictly in terms of escaping data? I also saw that magic quotes will be deprecated in PHP 6. How will that affect the above code? I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string().

 Answers

99

Magic quotes are inherently broken. They were meant to sanitize input to the PHP script, but without knowing how that input will be used it's impossible to sanitize correctly. If anything, you're better off checking if magic quotes are enabled, then calling stripslashes() on $_GET/$_POST/$_COOKIES/$_REQUEST, and then sanitizing your variables at the point where you're using it somewhere. E.g. urlencode() if you're using it in a URL, htmlentities() if you're printing it back to a web page, or using your database driver's escaping function if you're storing it to a database. Note those input arrays could contain sub-arrays so you might need to write a function can recurse into the sub-arrays to strip those slashes too.

The PHP man page on magic quotes agrees:

"This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. Relying on this feature is highly discouraged. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed."

Wednesday, March 31, 2021
 
Pegues
answered 7 Months ago
36

__call() is only invoked when the function isn't otherwise found so your example, as written, is not possible.

Wednesday, March 31, 2021
 
revive
answered 7 Months ago
24

I think this is a little cleaner and avoids reference bugs:

function unMagicQuotify($ar) {
  $fixed = array();
  foreach ($ar as $key=>$val) {
    if (is_array($val)) {
      $fixed[stripslashes($key)] = unMagicQuotify($val);
    } else {
      $fixed[stripslashes($key)] = stripslashes($val);
    }
  }
  return $fixed;
}

$process = array($_GET,$_POST,$_COOKIE,$_REQUEST);
$fixed = array();
foreach ($process as $index=>$glob) {
  $fixed[$index] = unMagicQuotify($glob);
}
list($_GET,$_POST,$_COOKIE,$_REQUEST) = $fixed;
Saturday, May 29, 2021
 
xenon
answered 5 Months ago
32

I think I've solved it. If I encapsulate the nodes inside curly braces as strings, PHPStorm will ignore these.

echo $xml->{'Parent'}->{'ChildElement'};

This has the advantage of being consistent if you encounter an XML tag with a hyphen, for instance. $xml->{'Parent-Node'}

Saturday, May 29, 2021
 
VostanAzatyan
answered 5 Months ago
59

I ran into the same issue and found the following solution in the documentation: http://symfony.com/doc/current/book/testing.html#your-first-functional-test

To run your functional tests, the WebTestCase class bootstraps the kernel of your application. In most cases, this happens automatically. However, if your kernel is in a non-standard directory, you'll need to modify your phpunit.xml.dist file to set the KERNEL_DIR environment variable to the directory of your kernel:

<phpunit>
    <!-- ... -->
    <php>
        <server name="KERNEL_DIR" value="/path/to/your/app/" />
    </php>
    <!-- ... -->
</phpunit>

So check your phpunit.xml.dist configuration file and try to add the absolute path to your app-directory.

Hope it helps.

Friday, July 30, 2021
 
Bálint Molnár
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :