RE: [PHP] magic quotes
Thanks,
Met javascript not ajax. I had AJAX on the brain do to a project I'm working
on. So I'm assuming there is a library of functions to use with the
.htaccess file? Cause it looks like you can use UNIX and PHP to edit this
file?
Kevon K. Hayes
815-980-3435
RFD, IL
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 07, 2007 11:30 PM
To: KVIGOR
Cc: php-general@lists.php.net
Subject: Re: [PHP] magic quotes
On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
> If magic quotes is on and I dont have access to the php.ini.
>
> Is there any way I can strip quotes from the form field with out using
> AJAX?
Best: Use .htaccess to turn magic_quotes off.
Okay: Use something like if (ini_get('magic_quotes_gpc')) $data =
stripslashes($data);
Worst: Ajax cannot possibly begin to address this issue and is
completely useless to solve this particular problem.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007
4:16 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date: 8/5/2007
4:16 PM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
Cool, That's very informative. You guys ROCK! -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 5:16 PM To: k3cheese Cc: [EMAIL PROTECTED]; php-general@lists.php.net Subject: Re: [PHP] magic quotes k3cheese wrote: > Thanks, > > Met javascript not ajax. I had AJAX on the brain do to a project I'm working > on. So I'm assuming there is a library of functions to use with the > .htaccess file? Cause it looks like you can use UNIX and PHP to edit this > file? htaccess files can do lots of things. http://httpd.apache.org/docs/2.2/howto/htaccess.html See also http://www.php.net/manual/en/ini.php#ini.list for what you can change and where you're allowed to change it (some values can only be changed in the php.ini or apache config for example). -- Postgresql & php tutorials http://www.designmagick.com/ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
I added the code to my script and I still ended up escaped quotes.
if(ini_get('magic_quotes_gpc')) $_POST['data'] =
stripslashes($_POST['data']); Didn't work at all. I think I read something
about it not working on runtime data. Like gpc if this is correct do you
have another solution? I put this line in the .htaccess file it didn't work
either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't
need it now but it'd be nice to know for the future dev.
Kevon K. Hayes
815-980-3435
RFD, IL
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 11:49 PM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
.htaccess is only meaningful for Apache.
JavaScript is equally useless to Ajax for working around Magic Quotes.
On Wed, August 8, 2007 7:55 am, k3cheese wrote:
> Thanks,
>
> Met javascript not ajax. I had AJAX on the brain do to a project I'm
> working
> on. So I'm assuming there is a library of functions to use with the
> .htaccess file? Cause it looks like you can use UNIX and PHP to edit
> this
> file?
>
> Kevon K. Hayes
> 815-980-3435
> RFD, IL
>
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 07, 2007 11:30 PM
> To: KVIGOR
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] magic quotes
>
> On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
>> If magic quotes is on and I dont have access to the php.ini.
>>
>> Is there any way I can strip quotes from the form field with out
>> using
>> AJAX?
>
> Best: Use .htaccess to turn magic_quotes off.
> Okay: Use something like if (ini_get('magic_quotes_gpc')) $data =
> stripslashes($data);
> Worst: Ajax cannot possibly begin to address this issue and is
> completely useless to solve this particular problem.
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date:
> 8/5/2007
> 4:16 PM
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date:
> 8/5/2007
> 4:16 PM
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007
4:06 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007
4:06 PM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
I have an example, how using js can instantly remove chars you type. If I
don't want quotes in the form fields the code in loop removes them. What's
your take on this?
-Original Message-----
From: k3cheese [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 11:59 PM
To: '[EMAIL PROTECTED]'
Cc: 'php-general@lists.php.net'
Subject: RE: [PHP] magic quotes
I added the code to my script and I still ended up escaped quotes.
if(ini_get('magic_quotes_gpc')) $_POST['data'] =
stripslashes($_POST['data']); Didn't work at all. I think I read something
about it not working on runtime data. Like gpc if this is correct do you
have another solution? I put this line in the .htaccess file it didn't work
either: php_flag magic_quotes_gpc off... Is there anyway possible? I don't
need it now but it'd be nice to know for the future dev.
Kevon K. Hayes
815-980-3435
RFD, IL
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 11:49 PM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
.htaccess is only meaningful for Apache.
JavaScript is equally useless to Ajax for working around Magic Quotes.
On Wed, August 8, 2007 7:55 am, k3cheese wrote:
> Thanks,
>
> Met javascript not ajax. I had AJAX on the brain do to a project I'm
> working
> on. So I'm assuming there is a library of functions to use with the
> .htaccess file? Cause it looks like you can use UNIX and PHP to edit
> this
> file?
>
> Kevon K. Hayes
> 815-980-3435
> RFD, IL
>
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 07, 2007 11:30 PM
> To: KVIGOR
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] magic quotes
>
> On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
>> If magic quotes is on and I dont have access to the php.ini.
>>
>> Is there any way I can strip quotes from the form field with out
>> using
>> AJAX?
>
> Best: Use .htaccess to turn magic_quotes off.
> Okay: Use something like if (ini_get('magic_quotes_gpc')) $data =
> stripslashes($data);
> Worst: Ajax cannot possibly begin to address this issue and is
> completely useless to solve this particular problem.
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date:
> 8/5/2007
> 4:16 PM
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date:
> 8/5/2007
> 4:16 PM
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007
4:06 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007
4:06 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007
4:06 PM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
Indeed. The Force is strong with this one...This Richard Lynch. Thanks for your insight. You are right magic quotes is indeed meddling with my vars before I can. OK, I better understand. I'll do more homework. I've already investigated the other link you advised and it's bookmarked. -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Thursday, August 09, 2007 12:29 AM To: k3cheese Cc: php-general@lists.php.net Subject: RE: [PHP] magic quotes On Thu, August 9, 2007 12:01 am, k3cheese wrote: > I have an example, how using js can instantly remove chars you type. > If I > don't want quotes in the form fields the code in loop removes them. > What's > your take on this? My take: Problem #1: It doesn't work very well for fields that actually should allow an apostrophe. Problem #2: Apostrophe is NOT the only character that magic_quotes affects. Problem #3: You can't rely on JavaScript sanitizing, because the Bad Guys aren't using a web browser; They are splatting whatever raw data they want directly at your script. Start reading here: http://phpsec.org Problem #4: You cannot guarantee JavaScript is enabled in my browser. In fact, you can guarantee that at least one user will have disabled JavaScript. Problem #5: It doesn't do diddly-squat for GET data nor for COOKIE data, only POST. Problem #6: There is no number 6. Problem #7: Magic Quotes was designed for the ASCII character set, and is downright dangerous to use for anything else (Unicode/UTF-8/etc). Avoiding the input of the apostrophes (and other characters) but still having Magic Quotes on means you're just spinning your wheels with PHP calling addslashes on POST data that you HOPE (but can't prove) doesn't have apostrophe and other characters in it, but this could completely screw up in Unicode/UTF-8 incoming data, and most likely leave you vulnerable. Unless, of course, you use mysql_real_escape_string like you are supposed to. Even then, the Unicode coming in will possibly/probably be whacked wrong by Magic Quotes sooner or later, so now if you want to support non-ASCII charsets, you probably can't, because Magic Quotes is munging the data before you get a chance to call mysql_real_escape_string on it to do the right thing. [Though maybe not, as maybe addslashes can't do any harm to Unicode if there's no ' nor \ to escape... You'd have to ask a Unicode geek. But they'd tell you to just turn off the Magic Quotes and be done with it anyway.] But that's just my take... :-v -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007 4:06 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] magic quotes
It did work I was expecting a physical change in the form display as the
form field values are set to stripslashes values.
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 09, 2007 12:20 AM
To: k3cheese
Cc: php-general@lists.php.net
Subject: RE: [PHP] magic quotes
"runtime data" means "data that is coming out of your database at
runtime" as opposed to "gpc data" which means "data from
GET/POST/COOKIE"
It most certainly does NOT mean that you can't modify the data you
have received in any way you choose.
Can you clarify "Didn't work at all." for us?
Or, perhaps, see if what you think is happening is happening:
BEFORE:\n"; var_dump($_POST); echo "";
if (ini_get('magic_quotes_gpc')){
echo "ALTERING\n";
$_POST['data'] = stripslashes($_POST['data']);
echo "AFTER:\n"; var_dump($_POST); echo "";
}
?>
Because using stripslashes to un-do the evil effects of
magic_quotes_gpc is pretty much a no-brainer...
.htaccess might not work for a number of reasons, such as:
You're not using Apache.
.htaccess is turned off in your httpd.conf
You didn't put .htaccess in the same directory as your PHP script
On Wed, August 8, 2007 11:58 pm, k3cheese wrote:
> I added the code to my script and I still ended up escaped quotes.
> if(ini_get('magic_quotes_gpc')) $_POST['data'] =
> stripslashes($_POST['data']); Didn't work at all. I think I read
> something
> about it not working on runtime data. Like gpc if this is correct do
> you
> have another solution? I put this line in the .htaccess file it
> didn't work
> either: php_flag magic_quotes_gpc off... Is there anyway possible? I
> don't
> need it now but it'd be nice to know for the future dev.
>
> Kevon K. Hayes
> 815-980-3435
> RFD, IL
>
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 08, 2007 11:49 PM
> To: k3cheese
> Cc: php-general@lists.php.net
> Subject: RE: [PHP] magic quotes
>
> .htaccess is only meaningful for Apache.
>
> JavaScript is equally useless to Ajax for working around Magic Quotes.
>
> On Wed, August 8, 2007 7:55 am, k3cheese wrote:
>> Thanks,
>>
>> Met javascript not ajax. I had AJAX on the brain do to a project I'm
>> working
>> on. So I'm assuming there is a library of functions to use with the
>> .htaccess file? Cause it looks like you can use UNIX and PHP to
>> edit
>> this
>> file?
>>
>> Kevon K. Hayes
>> 815-980-3435
>> RFD, IL
>>
>> -Original Message-
>> From: Richard Lynch [mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, August 07, 2007 11:30 PM
>> To: KVIGOR
>> Cc: php-general@lists.php.net
>> Subject: Re: [PHP] magic quotes
>>
>> On Tue, July 31, 2007 9:28 am, KVIGOR wrote:
>>> If magic quotes is on and I dont have access to the php.ini.
>>>
>>> Is there any way I can strip quotes from the form field with out
>>> using
>>> AJAX?
>>
>> Best: Use .htaccess to turn magic_quotes off.
>> Okay: Use something like if (ini_get('magic_quotes_gpc')) $data =
>> stripslashes($data);
>> Worst: Ajax cannot possibly begin to address this issue and is
>> completely useless to solve this particular problem.
>>
>> --
>> Some people have a "gift" link here.
>> Know what I want?
>> I want you to buy a CD from some indie artist.
>> http://cdbaby.com/browse/from/lynch
>> Yeah, I get a buck. So?
>>
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date:
>> 8/5/2007
>> 4:16 PM
>>
>>
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.5.476 / Virus Database: 269.11.6/938 - Release Date:
>> 8/5/2007
>> 4:16 PM
>>
>>
>
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date:
> 8/7/2007
> 4:06 PM
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date:
> 8/7/2007
> 4:06 PM
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007
4:06 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.8/941 - Release Date: 8/7/2007
4:06 PM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
