Menu
i was learning this PHP code from a tutorial to upload files
<form method="post" enctype="multipart/form-data">
<input name="userfile" type="file" id="userfile">
</form>
<?php
if (isset($_POST['upload']) && $_FILES['userfile']['size'] > 0) {
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];
$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);
if (!get_magic_quotes_gpc()) {
$fileName = addslashes($fileName);
}
include 'library/config.php';
include 'library/opendb.php';
$query = "INSERT INTO upload (name, size, type, content ) ".
"VALUES ('$fileName', '$fileSize', '$fileType', '$content')";
mysql_query($query) or die('Error, query failed');
include 'library/closedb.php';
now i understand every function and everything by using php documentation
EXCEPT
get_magic_quotes_gpc()
970
get_magic_quotes_gpc() is a function that checks the configuration (php.ini) and returns 0 if magic_quotes_gpc is off (otherwise it returns 1).
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NULs are escaped with a backslash automatically. This is to prevent all sorts of injection security issues.
In your case the code checks if the setting is off and adds slashes to properly escape the content to prevent SQL injection.
Like you said - this feature is deprecated and will certainly be removed in the future (in fact they removed it in PHP6).
The alternative is to escape the data at runtime as needed
156
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
