Help understand magic_quotes_gpc ()

Question

Help understand magic_quotes_gpc ()

I studied this php code from a file upload tutorial

<form method="post" enctype="multipart/form-data"> <input name="userfile" type="file" id="userfile"> </form> <?php if (isset($_POST['upload']) && $_FILES['userfile']['size'] > 0) { $fileName = $_FILES['userfile']['name']; $tmpName = $_FILES['userfile']['tmp_name']; $fileSize = $_FILES['userfile']['size']; $fileType = $_FILES['userfile']['type']; $fp = fopen($tmpName, 'r'); $content = fread($fp, filesize($tmpName)); $content = addslashes($content); fclose($fp); if (!get_magic_quotes_gpc()) { $fileName = addslashes($fileName); } include 'library/config.php'; include 'library/opendb.php'; $query = "INSERT INTO upload (name, size, type, content ) ". "VALUES ('$fileName', '$fileSize', '$fileType', '$content')"; mysql_query($query) or die('Error, query failed'); include 'library/closedb.php';

now i understand every function and everything using php documentation

BESIDES

 get_magic_quotes_gpc()

WHAT? What is he doing?
How convenient is it? If so, is there a replacement for this?
The PHP manual wrote: "This function has been DEPRECATED since PHP 5.3.0. Relying on this function is highly discouraged." Find out please?
There is no way to upload files to the (web) server harDisk and provide links to them.

+7

function security php manual

Moon Aug 18 '10 at 0:57

source share

2 answers

after reading your post and all the answers and comments, I think this feature can help,

 function mysql_prep( $value ) { $magic_quotes_active = get_magic_quotes_gpc(); $new_enough_php = function_exists( "mysql_real_escape_string" ); // ie PHP >= v4.3.0 if( $new_enough_php ) { // PHP v4.3.0 or higher // undo any magic quote effects so mysql_real_escape_string can do the work if( $magic_quotes_active ) { $value = stripslashes( $value ); } $value = mysql_real_escape_string( $value ); } else { // before PHP v4.3.0 // if magic quotes aren't already on then add slashes manually if( !$magic_quotes_active ) { $value = addslashes( $value ); } // if magic quotes are active, then the slashes already exist } return $value; }

0

Michael baxter Oct 16 '16 at 7:54

source share

DmitryK · Accepted Answer · 2010-08-18T01:09:36+0000

get_magic_quotes_gpc () is a function that checks the configuration (php.ini) and returns 0 if magic_quotes_gpc is off (otherwise it returns 1).

When magic_quotes is enabled, all single quotes, double quotes, \ (backslash), and NUL are automatically reset using a backslash. This prevents all kinds of security problems during administration.

In your case, the code checks to see if the parameter is turned off, and adds slashes to properly avoid the content, to prevent SQL injection.

As you said, this function is deprecated and will certainly be removed in the future (in fact, they removed it in PHP6).

An alternative is to delete data at runtime as needed

Help understand magic_quotes_gpc ()

More articles: