Testimonials  >

Company "ControlStyle" has successfully completed all tasks in creation of site of the Uralskaya zolotaya fabrika: the style decision of design is saved, very convenient system of administration is created. It allow operatively update the catalogue...

Uralskaya zolotaya fabrika,
Plashkina E.

Articles  >

Articles  >  Programming  >  How to work with magic_quotes_gpc

In the present paper there will be a speech about one of configuration parameters of the programming language PHP - magic_quotes_gpc. This parameter plays the important role concerning, first of all, safety of operation of any web-application, processing data, obtained from the user and operating for their storage the database MySQL.

The parameter magic_quotes_gpc influences, how the special characters contained in datas, passed the user (arrays $_GET, $_POST, $_COOKIE) will be handled. With magic_quotes_gpc = 1 these special symbols [single (') and double quotes ("), backslash (), NULL-byte] are automatically escaped by the interpreter PHP (before each such character is added backslash). With magic_quotes_gpc = 0 all datas are passed in such sort, in what they were entered by the user. In the latter case with the purposes of safety it is required to handle passed datas (attack SQL-injection is possible otherwise) immediately in the code of the application. For this purpose in PHP there is a function addslashes (endurance from documentation):

$str = "Is your name O'reilly?";

# outputs: Is your name O'reilly?
echo addslashes($str);

Everything, like, is simple. Usage in the code of the application of the function addslashes in case is certainly known, that the directive magic_quotes_gpc is equal 0, is quite justified. But what if the administrator of hosting will decide to install its value equal one? There will be a double escaping of special symbols! Therefore, the function addslashes is necessary for applying only in that case, when magic_quotes_gpc = 0. It is possible to receive current value of this configuration parameter through the standard function get_magic_quotes_gpc. Thus, more universal code will look like the following:

$str = "Is your name O'reilly?";
$str = (!get_magic_quotes_gpc()) ? addslashes($str) : $str;

# outputs at any options PHP: Is your name O'reilly?
echo $str;

If one will write such construction each time, the code of the developed web-application becomes bulky enough. It is much more effectively to use in the beginning of each file PHP the universal code which is carrying out processing, being write above, if necessary. It will look like the following:

function addslashes_for_array(&$arr)
{
   foreach($arr as $k=>$v)
   {
       if (is_array($v))
       {
           addslashes_for_array($v);
           $arr[$k] = $v;
       }
       else
       {
           $arr[$k] = addslashes($v);
       }
   }
}

function fix_magic_quotes_gpc()
{
   if (!get_magic_quotes_gpc())
   {
       addslashes_for_array($_POST);
       addslashes_for_array($_GET);
       addslashes_for_array($_COOKIE);
   }
}

# escapes of string in $_GET, $_POST, $_COOKIE if necessary
fix_magic_quotes_gpc();

It is necessary to note, that this code takes into account also that fact, that not only strings can be passed in variables $_GET, $_POST, $_COOKIE, but also it can be multidimensional arrays of strings.

P.S. During the research of some web-sites, recently carried out by our company, was clarified, that many known web-developers do not take into account the parameter magic_quotes_gpc. And it is a pity...

← To publications list

Nikolay I. Yarovoy,
04/21/2006.

Last projects:  Contact lens, Ekaterinburg

Back to top© 2020 ControlStyle, web site development. All rights reserved.
Web site promotion and advertising.