Re: MySQL and PHP escaping, stripping and inserting
- From: "Álvaro G. Vicario" <alvaro.NOSPAMTHANX@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 12 Nov 2009 11:55:50 +0100
The87Boy escribió:
I read something about magic_quotes_gpc
Where I read they used both mysql_real_escape_string and addslashes
To read the data they then used stripslashes
magic_quotes_gpc is a "feature" where PHP would modify blindly all your input data hoping that you'll eventually use it all to compose strings using the MySQL syntax and omitting the escaping functions. When you happen to need something else with your data (e.g., print it on screen or insert it in Oracle) you're in trouble. It's dangerous, stupid and will be happily gone in PHP 6:
http://es.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
The best you can do is disabling it in your PHP set up. You can also add a previous check in your script and refuse to start if it's set:
http://es.php.net/manual/en/function.get-magic-quotes-gpc.php
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
.
- Follow-Ups:
- Re: MySQL and PHP escaping, stripping and inserting
- From: The87Boy
- Re: MySQL and PHP escaping, stripping and inserting
- References:
- MySQL and PHP escaping, stripping and inserting
- From: The87Boy
- Re: MySQL and PHP escaping, stripping and inserting
- From: "Álvaro G. Vicario"
- Re: MySQL and PHP escaping, stripping and inserting
- From: The87Boy
- MySQL and PHP escaping, stripping and inserting
- Prev by Date: Re: MySQL and PHP escaping, stripping and inserting
- Next by Date: Re: Best way for setting PHP session timeout?
- Previous by thread: Re: MySQL and PHP escaping, stripping and inserting
- Next by thread: Re: MySQL and PHP escaping, stripping and inserting
- Index(es):
Relevant Pages
|
