Help to understand magic_quotes_gpc()

php security function manual
Moon picture Moon · Aug 18, 2010 · Viewed 18.4k times · Source

i was learning this PHP code from a tutorial to upload files

<form method="post" enctype="multipart/form-data">
  <input name="userfile" type="file" id="userfile">  
</form>

<?php
  if (isset($_POST['upload']) && $_FILES['userfile']['size'] > 0) {
    $fileName = $_FILES['userfile']['name'];
    $tmpName  = $_FILES['userfile']['tmp_name'];
    $fileSize = $_FILES['userfile']['size'];
    $fileType = $_FILES['userfile']['type'];

    $fp      = fopen($tmpName, 'r');
    $content = fread($fp, filesize($tmpName));
    $content = addslashes($content);
    fclose($fp);

   if (!get_magic_quotes_gpc()) {
     $fileName = addslashes($fileName);
   }

   include 'library/config.php';
   include 'library/opendb.php';

   $query = "INSERT INTO upload (name, size, type, content ) ".
     "VALUES ('$fileName', '$fileSize', '$fileType', '$content')";

   mysql_query($query) or die('Error, query failed');
   include 'library/closedb.php';

now i understand every function and everything by using php documentation

EXCEPT

get_magic_quotes_gpc()
  • WHAT is it? What it does?
  • Is it eseential? If yes, Is there a replacement for this?
  • the PHP Manual said "This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.". Elaborate please?
  • Isn't there a way to upload files to (web)server harDisk and provide links to them..

Answer

DmitryK picture DmitryK · Aug 18, 2010

get_magic_quotes_gpc() is a function that checks the configuration (php.ini) and returns 0 if magic_quotes_gpc is off (otherwise it returns 1).

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NULs are escaped with a backslash automatically. This is to prevent all sorts of injection security issues.

In your case the code checks if the setting is off and adds slashes to properly escape the content to prevent SQL injection.

Like you said - this feature is deprecated and will certainly be removed in the future (in fact they removed it in PHP6).

The alternative is to escape the data at runtime as needed

Related questions

Check if a generated license is valid

I have a PHP script that generates some strings which will be used as license keys: function KeyGen(){ $key = md5(microtime()); $new_key = ''; for($i=1; $i <= 25; $i ++ ){ $new_key .= $key[$i]; if ( $i%5==0 && $i != 25) $new_key.=…

Read More
How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More