Actually your sample would be injected with or without magic_quotes, BUT also with mysql_real_escape_string or PDO.
If you read my post you'll notice that I said that this is downright bad code. But let me quote one of your earlier posts:
Yes, but the example is way too bad, it can be injected... but injected on any circumstance.
SQL injections ARE stopped by magic_quotes_gpc
And now you've admitted that my example would inject, proving your earlier statement wrong.
Sorry, your code doesn't need any anti-sqli measure, it needs a miracle. magic_quotes is effective on stop unescaped entries, not a magical corrector. Anyway your example isn't checking if the user can access the data you're giving him, so whether he uses 1 OR 1=1 or create a script to request from 1 to 1000 would get the same output.
If you match it against the user_id he can perform the query, inject it, and still be safe code. Isn't that amazing? Coding is like playing chess... you've many ways to get the same outcome and can apply different strategies.
<?php
while ($r=mysql_fetch_array($q, MYSQL_ASSOC)) { if($r['id'] == $_SESSION['uid']) echo "Hello ".$r['user'].", your password is ".$r['pass']."<br />"; }
?>
Expose the entire web to danger out of some elitism is probably the most obnoxious move I'd ever seen to be done in ANY programing language!
It's more like having soft rubber bumpers down along every street and then complaining about a car crash because one street doesn't have them instead of learning how to drive correctly in the first place.
[/quote]
I found this another analogy to be more valid on the subject: You've a yale lock (those normal ones flat you see everywhere) on your front door. Someone notices that yale isn't safe and advises you to change to a dimple lock, so this person takes your yale away but doesn't input the dimple lock himself, leaving your frontdoor open.
At MySQL addslashes (what magic_quotes_gpg is indeed) is enough to save you of injections.
Then why are you undoing the magic_quotes_gpg "protection" and rely on mysql_real_escape_string() instead?
function makeSQLSafe($str){
if(get_magic_quotes_gpc()) $str = stripslashes($str);
return mysql_real_escape_string($str);
}
That code block is taken from your project.
Isn't because I see no harm on magic_quotes_gpc that I'll use it. And that code actually shows you how "hazardous" magic_quotes_gpc can be when on; nothing. Takes just one line of code to undo them: if(get_magic_quotes_gpc()) $str = stripslashes($str);