Are magic quotes vulnerable to Sql Injection ? Should i use stripslashes and then sanitize the input?

840 views Asked by At

I'm confused about these magic quotes.
They are enabled on my server, and my question is should i disable them by using functions like :

if(get_magic_quotes_gpc()){
 $username=stripslashes($username);
 $password=stripslashes($password);
}

to sanitize my input or should i leave all the job to magic quotes.
I'm practicing some sql injection (for learning purposes) and when magic quotes are on i cant do anything, but when i use the code above i can do sql injection.
So should i stick with magic quotes or use functions like this:

if(get_magic_quotes_gpc()){
 $username=stripslashes($username);
 $password=stripslashes($password);
 $cleanUsername=mysql_real_escape_string($username);
 $cleanPassword=mysql_real_escape_string($password);
}

I dont have that much experience on sanitizing inputs so any help please :(

1

There are 1 answers

1
mravey On BEST ANSWER

Magic quotes are deprecated and will be removed from the next version of PHP (PHP 5.4), so you shouldn't rely on them. (See http://www.php.net/manual/en/security.magicquotes.php) The best way to prevent SQL injection is to use PDO and prepared statements. See https://www.php.net/manual/en/pdo.prepared-statements.php for more and search for a tutorial on google if you need more.