tgl@xxxxxxxxxxxxx wrote: > ljb <ljb220@xxxxxxxxxxxxxx> writes: >> | addslashes() or magic_quotes. We note that these tools have been deprecated >> | by the PHP group since version 4.0. > >> Can anyone provide a source for the statement? > > I'm not going to put words in Josh's mouth about where he got that from, > but anyone who reads all of the comments at > http://us3.php.net/manual/en/function.addslashes.php > ought to come away suitably unimpressed with the security of that > function. Yes, sorry, I did see those comments, although I don't think they are from the PHP group themselves. But I missed the statement on the pg_escape_string manual page saying "use of this function is recommended instead of addslashes()". I still think "since version 4.0" is wrong.
