Hello,
I am working on a ticket tracking system and using htmlentities and htmlspecialchars on text that gets inserted into the database.
code I have:
--snip--
if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) > 5) {
$query .= " tentry_body = '" . htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
} else {
$status="<li class=error>ERROR with entry -- appears to be empty !!!!!</li>\n";
$check=1;
}
--snip--
In the archives people suggest that using mysql_escape_string should be used, I then found that you could globally enable magic_quotes_gpc.
What is the best method ? Does magic_quotes have a large performance issue ??
Would it not just be safer to turn it on ??
Thanks.
Michael.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
