On Sun, 2004-12-19 at 18:31, Michael Gale wrote:
> Hello,
>
> I am working on a ticket tracking system and using htmlentities and
> htmlspecialchars on text that gets inserted into the database.
>
> code I have:
>
> --snip--
> if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) > 5) {
> $query .= " tentry_body = '" .
> htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
> } else {
> $status="<li class=error>ERROR with entry -- appears to be empty
> !!!!!</li>\n";
> $check=1;
> }
> --snip--
>
> In the archives people suggest that using mysql_escape_string should be
> used, I then found that you could globally enable magic_quotes_gpc.
>
> What is the best method ? Does magic_quotes have a large performance
> issue ??
>
> Would it not just be safer to turn it on ??
Learn to write secure code for yourself. Magic quotes are an illusion.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
