Is PHP's magic_quotes_gpc enough to thwart SQL injection?

It's one way (there are lots of great user contributions on the php site about how to make it work: http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc), but you could also use mysql_real_escape_string (http://www.php.net/manual/en/function.mysql-real-escape-string.php), which is oftentimes simpler.

Is PHP's magic_quotes_gpc enough to thwart SQL injection?

No.

Magic Quotes needs to die. Even if it stopped SQL injection (which it doesn't), it encourages lazy and lax input checking in general. You should never use the $_GET/POST[name] variables directly in SQL or any other storage -- just forcing yourself to move the data to a new variable will get you thinking about what bad (or at least invalid) things may lurk inside.

What is an example of an attack that would not be stopped by magic_quotes/addslashes, that only mysql_real_escape_string would catch?

I haven't seen it on _gpc, but _runtime (has?) had a bug for a LONG time where PHP would occasionally flip the on/off bit, so protection would come and go.

use additional filter to check all input information

magic quotes IS going to die, at least it seems very likely it will be removed for PHP6

And it's about time too.

To protect against SQL injection you simply need to pay attention to what you are putting in your queries. Make it a habit to, at the location the SQL is written, to verify the data is of the correct type and escape appropriately. Even if you're certain it can't be anything other than the correct stuff, check it, a simple $foo = (int) $foo could save your database from a horrible death one day.

I recommend using a 'sanitizer' class to clean user input. This way, your user data is always consistently cleaned and you dont have to lie awake at night wondering if you remembered to escape something properly ;)

Being a smarty template aficionado, I am using SafeSQL (by one of the smarty authors) which does a really nice job of preparing user data for you. There are plenty of other alternatives as well.

Originally posted by gogocode
check it, a simple $foo = (int) $foo could save your database from a horrible death one day.

Yep, I check all my numbers in a similar way. Nothing goes into a query directly from $_GET or $_POST.

It looks like the only difference between magic_quotes and mysql_real_escape_string is the treatment of \x00, \n, \r, and \x1a. I was wondering what an injection attack using one of those might look like.

Originally posted by innova
Being a smarty template aficionado, I am using SafeSQL (by one of the smarty authors) which does a really nice job of preparing user data for you. There are plenty of other alternatives as well.

Thanks for the tip. I use Smarty as well. I'll check it out.