get_magic_quotes_gpc(), or not

I would like to sanitize user-supplied HTTP request variables before sending them to a database.

There is a deprecated PHP setting called magic_quotes_gpc that automatically escapes GET, POST, and COOKIE (GPC) operators. Please understand that magic_quotes_gpc is highly discouraged.

<?php

  // in a world with magic_quotes_gpc
  $lastname = get_magic_quotes_gpc() ? stripslashes($_GET['lastname']) : $_GET['lastname'];

  // if magic_quotes_gpc never existed
  $lastname = $_GET['lastname'];
?>

It is recommended to disable magic_quotes_gpc and sanitize HTTP request variables before sending them to the database. The favorite (and arguably safest approach) is to use prepared statements, otherwise quote your data before sending to the database, e.g.,

<?php

  $db = new DB();
  $res = $db->query('SELECT * FROM users WHERE lastname = ' .
      $db->quote($_GET['lastname']) );

?>
This entry was posted in php. Bookmark the permalink.

Comments are closed.