ljb wrote:
tgl@xxxxxxxxxxxxx wrote:
ljb <ljb220@xxxxxxxxxxxxxx> writes:
| addslashes() or magic_quotes. We note that these tools have been deprecated
| by the PHP group since version 4.0.
Can anyone provide a source for the statement?
I'm not going to put words in Josh's mouth about where he got that from,
but anyone who reads all of the comments at
http://us3.php.net/manual/en/function.addslashes.php
ought to come away suitably unimpressed with the security of that
function.
Yes, sorry, I did see those comments, although I don't think they are from
the PHP group themselves. But I missed the statement on the pg_escape_string
manual page saying "use of this function is recommended instead of
addslashes()". I still think "since version 4.0" is wrong.
Better yet, use PEAR::DB or some other db abstraction package that will
handle all of this for you.
