Re: [PHP] Double checking - I should turn off "magic quotes"

On Mon, June 4, 2007 9:02 am, Dave M G wrote:
I've read on the manual that it's "preferred to code with magic quotes
off and to instead escape the data at runtime, as needed":

Recently, while configuring my PHP so as to install the GD libraries,
that the default option was to have magic quotes turned on.

What version of PHP did you install?...

I'm pretty sure they turned MQ off by default in PHP5...

I just want to double check here what to do. Should I disable magic
quotes on my server?

YES!

Turn the dang thing off!

Also, I'm developing code that I hope others can use. For the purposes
of portability, is it safe to assume that most environments will have
magic quotes off, and build for that?

Nope.

Use something not unlike:
if (ini_get('magic_quotes_gpc')){
array_map('stripslashes', $_GET);
array_map('stripslashes', $_POST);
array_map('stripslashes', $_COOKIE);
array_map('stripslashes', $_REQUEST);
}

So I should disable magic quotes on my testing environment and do my
own
escaping?

Yes.

The issue is that you want to FILTER and VALIDATE before you ESCAPE,
and you only want to ESCAPE the data actually going into the DB, and
use the correct escape function for that DB.

While I'm asking about escaping, is converting characters like
apostrophes and ampersands to hex characters before storing them in a
MySQL database a safe way to go?

Don't try to roll your own. Use mysql_real_escape_string

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • Re: COM - ADSI & PHP
    ... I keep running into a problem is with a specific OU that has braces ... I know that the LDAP functions in PHP may be able to help but the ... Also, note that in PHP, '\' is an escape character - if you're using ... Did you escape the characters with a backslash, or did you use the hex equivalent? ...
    (alt.php)
  • Re: COM - ADSI & PHP
    ... I keep running into a problem is with a specific OU that has braces ... I know that the LDAP functions in PHP may be able to help but the ... Also, note that in PHP, '\' is an escape character - if you're using ... Yah I have tried that by building a function to escape the characters ...
    (alt.php)
  • RE: [PHP] preg_match problem
    ... Subject: [PHP] preg_match problem ... Pattern Syntax -- Describes PCRE regex syntax ... backslash character rather than using backslash to escape ...
    (php.general)
  • Re: [PHP] Slashes, include, AJAX? {SOLVED}
    ... how are you using the json object on the client-side after its sent by the server? ... ive have not encountered the problem you have, that is, the escape characters do ... im using the same encoding technique i recommended within PHP. ... if you use a string directly on the client side, ...
    (php.general)
  • Re: [PHP] When and when not to use and "
    ... just always escape it, so you understand what the string parser is ... variables like $foo and 1-D arrays like $foo ... for some versions of PHP ...
    (php.general)