escaping, stripslashes and magic quotes!

Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which refer to stripslahes and
'escaping' but nothing really explains what these terms are and why these
are used. Why is 'escaping' (whatever that is) used?. What the hell is a
magic quote?. How is it different from a non-magic one?.

Regards,
Dave

"Dave Moore" <dave_m_moore@post2me.freeserve.co.uk> kirjoitti
viestissä:d7aaq1$ggu$1@newsg1.svr.pol.co.uk...
> Hi All,
> Can anybody point me to a FAQ or similar that describes what all this
> stuff is about please?. I'm interfacing with a MySQL database if that's
> relavent. I've read a couple of books which refer to stripslahes and
> 'escaping' but nothing really explains what these terms are and why these
> are used. Why is 'escaping' (whatever that is) used?. What the hell is a
> magic quote?. How is it different from a non-magic one?.
>


Imagine you have a database where you insert names. You use a SQL query:
INSERT INTO names VALUES('John Doe')

Here the name John Doe is isolated with pair of '' quotes. That's how MySQL
knows where the name begins and where it ends.

Now an italian guy comes with a name like Giovanni D'Angelo. Look what
happens:
INSERT INTO names VALUES('Giovanni D'Angelo')

Here MySQL sees a string Giovanni D and some crap after that, since it
interprets the first occurance of ' as the end of the string. This is:
unless it is ESCAPED. Escaping means we tell MySQL that the particular ' is
in fact a part of the string and not the ending quote:

INSERT INTO names VALUES('Giovanni D\'Angelo')

the ' in D'Angelo is escaped with backslash: \' . Now MySQL bypasses it
thanks to the escaping and sees the string as "Giovanni D'Angelo" and works
correctly.

Magic Quotes is a mechanism of PHP that automatically escapes all user
inputs. So that when D'Angelo typed his name and submitted the form, it
comes to PHP already escaped, as "Giovanni D\'Angelo" and you don't have to
worry about it. If the magic qoutes are turned off, you need to do the
escaping by yourself for each input you want. And addslashes does just this.

--
"I am pro death penalty. That way people learn
their lesson for the next time." -- Britney Spears

eternal.erectionN0@5P4Mgmail.com

Dave Moore said the following on 28/05/2005 18:44:
> Hi All,
> Can anybody point me to a FAQ or similar that describes what all this
> stuff is about please?. I'm interfacing with a MySQL database if that's
> relavent. I've read a couple of books which refer to stripslahes and
> 'escaping' but nothing really explains what these terms are and why these
> are used. Why is 'escaping' (whatever that is) used?. What the hell is a
> magic quote?. How is it different from a non-magic one?.
>

Imagine you're putting some data into a MySQL database. You might do
something like:

mysql_query("INSERT INTO table (name) VALUES ('$name')");

where $name is a string.
If $name was "John", the query string would become:

INSERT INTO table (name) VALUES ('John')

No problem there. But if $name was "Hell's Bells", then the string becomes:

INSERT INTO table (name) VALUES ('Hell's Bells')

Now, there's a mismatch in the number of single quotes, and this will
cause a MySQL error.

To get around this, one indicates a single-quote *within* a value string
using \' i.e backslash, single-quote. This is called "escaping" (one
escapes from the syntax processing that would normally occur).

All strings must be "escaped" before being put into an SQL query using
mysql_real_escape_string(), which does the conversion above (as well as
a few others). So your command would be:

mysql_query("INSERT INTO table (name) VALUES ('"
. mysql_real_escape_string($name) . "')");


Magic Quotes is something that seemed like a good idea back in the
earlier days of PHP. Basically, when Magic Quotes is turned on, all GET,
POST and COOKIE variables are automatically escaped ready for use in a
database query. This is to save lazy people time, so that they don't
have to call mysql_real_escape_string() each time.

However, they *will* have to call stripslashes() (which removes the
escaping from the string) whenever they want to use the string in a
normal context. So it's actually just a pain. If you have control of
your PHP configuration, turn magic-quotes off.

If not, you'll have to do something like at the top of your scripts:

if (get_magic_quotes_gpc())
{
foreach ($_GET as $key=>$value)
{
$_GET["key"] = stripslashes($value);
}
}


P.S. The best place to start on reading about anything PHP-related is
the online manual: http://www.php.net/manual.

--
Oli

Read this:

http://php.net/manual/en/security.magicquotes.php

Read this:
http://php.net/manual/en/security.magicquotes.php