TechQA.

Are magic quotes vulnerable to Sql Injection ? Should i use stripslashes and then sanitize the input?

834 views Asked by At

I'm confused about these magic quotes.
They are enabled on my server, and my question is should i disable them by using functions like :

if(get_magic_quotes_gpc()){
 $username=stripslashes($username);
 $password=stripslashes($password);
}

to sanitize my input or should i leave all the job to magic quotes.
I'm practicing some sql injection (for learning purposes) and when magic quotes are on i cant do anything, but when i use the code above i can do sql injection.
So should i stick with magic quotes or use functions like this:

if(get_magic_quotes_gpc()){
 $username=stripslashes($username);
 $password=stripslashes($password);
 $cleanUsername=mysql_real_escape_string($username);
 $cleanPassword=mysql_real_escape_string($password);
}

I dont have that much experience on sanitizing inputs so any help please :(

php sql-injection magic-quotes-gpc
Original Q&A
1

There are 1 answers

1
mravey On BEST ANSWER

Magic quotes are deprecated and will be removed from the next version of PHP (PHP 5.4), so you shouldn't rely on them. (See http://www.php.net/manual/en/security.magicquotes.php) The best way to prevent SQL injection is to use PDO and prepared statements. See https://www.php.net/manual/en/pdo.prepared-statements.php for more and search for a tutorial on google if you need more.

Related Questions in PHP

Related Questions in SQL-INJECTION

Related Questions in MAGIC-QUOTES-GPC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions