June 26th, 2013, 10:59 AM
Magic Quotes REMOVED as of PHP 5.4.0
I am upgrading my server from PHP 5.2.4 and Postgres 8.2 to Postgres 5.4.14 and Postgres 9.2
In the older configuration, Magic Quotes was enabled in php.ini
So the problem now is that Magic Quotes has been removed. Also, addslashes() must no longer be used with Postgres 9. It should be replaced with pg_escape_string()
There are also some pieces of code where I use stripslashes() to display the text before/after inserting it in the database. In this case, I should also replace the double single quotes with only one.
Is there a fast workaround for that or must I update the whole code?
What do you think is the best solution to keep my website working, since I have like a thousand PHP file and I donít intend to change each page individually :
$name = pg_escape_string($_POST["name"]);
Your suggestions are appreciated
Thanks in advance
June 26th, 2013, 12:24 PM
You should update the whole code. magic_quotes was a bad feature and relying upon it is also a bad idea. Using it or addslashes() to escape data for SQL is unsafe, and using both actually corrupts the data (by inserting slashes where there shouldn't be any) and forces you to stripslashes() on what it returns.
You would get that advice regardless of whether you were upgrading or not.
What you do depends on how your code/site works, but in the general case
1. Don't insert $_GET or $_POST values into SQL directly.
2. Store the values in variables, escape them, and use them in the query instead. (Or better yet use prepared statements.)
3. pg_escape_string() instead of addslashes().
4. Find data in your database that has been addslashes()ed and undo that: either manually, or automatically through stripslashes(), or automatically through some mechanism that PostgreSQL provides (if any).
If you're on 5.2 now then there shouldn't be any rush to upgrade. Take your time and get it right.