Re: MySQL and PHP escaping, stripping and inserting



The87Boy escribió:
I read something about magic_quotes_gpc
Where I read they used both mysql_real_escape_string and addslashes

To read the data they then used stripslashes

magic_quotes_gpc is a "feature" where PHP would modify blindly all your input data hoping that you'll eventually use it all to compose strings using the MySQL syntax and omitting the escaping functions. When you happen to need something else with your data (e.g., print it on screen or insert it in Oracle) you're in trouble. It's dangerous, stupid and will be happily gone in PHP 6:

http://es.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc

The best you can do is disabling it in your PHP set up. You can also add a previous check in your script and refuse to start if it's set:

http://es.php.net/manual/en/function.get-magic-quotes-gpc.php


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
.



Relevant Pages

  • Re: MySQL and PHP escaping, stripping and inserting
    ... Where I read they used both mysql_real_escape_string and addslashes ... To read the data they then used stripslashes ... input data hoping that you'll eventually use it all to compose strings ... The best you can do is disabling it in your PHP set up. ...
    (comp.lang.php)
  • Re: MySQL and PHP escaping, stripping and inserting
    ... Where I read they used both mysql_real_escape_string and addslashes ... To read the data they then used stripslashes ... input data hoping that you'll eventually use it all to compose strings ... a previous check in your script and refuse to start if it's set: ...
    (comp.lang.php)
  • Re: MySQL and PHP escaping, stripping and inserting
    ... To read the data they then used stripslashes ... The best you can do is disabling it in your PHP set up. ... Then you need to find another host ASAP. ...
    (comp.lang.php)
  • Re: MySQL and PHP escaping, stripping and inserting
    ... input data hoping that you'll eventually use it all to compose strings ... using the MySQL syntax and omitting the escaping functions. ... The best you can do is disabling it in your PHP set up. ...
    (comp.lang.php)