Jeff McKeon wrote: > Does having magic-quotes=on prevent an attacker from using a urlized sql > inject query? Not likely. Magic Quotes is a convenience feature, not a security feature. Magic Quotes is oft-understood, even by journeymen PHP programmers. Magic Quotes takes all incoming POST/GET data and calls http://php.net/addslashes on it before you see it. The assumption is that MOST of the POST/GET data you are getting, you want to put into your database. The downside is that if you are doing something with that data other than putting it in a database (EG: re-displaying it to the user, or logging it in a file, or...) you'll need to call http://php.net/stripslashes on it, to undo the Magic Quotes. If *MOST* of your incoming POST/GET data isn't actually going into a database, turn Magic Quotes off. If you want portable code, write a function to check Magic Quotes on/off, and call addslashes only if it's off. The thing that always kills me is when programmers call stripslashes on data that comes *OUT* of MySQL. No, no, no, no. Whatever it is you did, or think you are doing, or think you are fixing, that's WRONG. Maybe you called addslashes twice, once with Magic Quotes, and once "by hand" and that's how the data in the database got screwed up. Or maybe you just don't understand WHY addslashes does what it does. But calling stripslashes on data coming OUT of MySQL is WRONG. MySQL "eats" the 'extra' apostrophes when the data comes 'in' through your SQL statement. There are no apostrophes to strip after the data was been sucked into MySQL. If there *are* apostrophes you don't want in that data, you screwed up already getting the data in there. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
