Curiously none are security reasons, they are more portability reasons (and pretty thin ones at that)... but then this is PHP we are talking about - let me just say register_globals and end it there. I would have to say that for security purposes - I would want magic quotes _on_ rather than off for the whole reasons of SQL Injection that we already talked about. Generally most scripts I write spend more time sending data to the DB then re-reading straight from the DB rather than re-using data pushed through POST/GET, and the functions that are exceptions auto unescape the data again for me... Alex On 11/2/05, Matthew Terenzio <matt@xxxxxxxxxxxxx> wrote: > > On Nov 2, 2005, at 6:08 PM, Michael Glaesemann wrote: > > > As an aside, it's interesting to see that the PHP documentation states: > > --- > > Magic Quotes is a process that automagically escapes incoming data to > > the PHP script. It's preferred to code with magic quotes off and to > > instead escape the data at runtime, as needed. > Haven't been totally immersed in this thread but here are reasons given > for not using Magic Quotes: > > http://us2.php.net/manual/en/security.magicquotes.whynot.php > > And here is pg_escape_string() : > > http://us3.php.net/manual/en/function.pg-escape-string.php > > ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
