Michael Gale wrote:
> I am working on a ticket tracking system and using htmlentities and
> htmlspecialchars on text that gets inserted into the database.
>
> code I have:
>
> --snip--
> if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) > 5)
> {
> $query .= " tentry_body = '" .
> htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
You've already been told all about this one :-)
> } else {
> $status="<li class=error>ERROR with entry -- appears to be empty
> !!!!!</li>\n";
> $check=1;
> }
> --snip--
>
> In the archives people suggest that using mysql_escape_string should be
> used, I then found that you could globally enable magic_quotes_gpc.
>
> What is the best method ? Does magic_quotes have a large performance
> issue ??
>
> Would it not just be safer to turn it on ??
Safer as in "more secure from hackers"? No. It's not safer either way,
really, imho. The security doesn't come from adding slashes -- It comes
from knowing what the data *should* look like, and validating that it
*does* look like that, as strictly as possible.
Safer as in "less likely I'll screw up"? This could go either way. If you
understand what MagicQuotes does, how it works, and when it's appropriate
to rely on it (or not) it's a convenient feature. If you don't understand
how Magic Quotes works, then it's not a good thing to use. :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
