Jochem Maas wrote:
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database.
you get the gist of it.... bare in mind _many_ people including actual php
developers avoid magic_quotes like the plague cos its a PITA.
basically your input to the DB should be properly escaped (there are special
functions for this also, depending on your DB, I use alot of firebird and its capable
of parameterized queries - making it impossible to do SQL injection if you use
the parameterized markup).
AND anything you output to the browser should be sanitized properly as well...
goto phpsc.net and read everything there - its a good/solid introduction to
writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris
Shiflett - a veritable goldmine of php related knowledge.... do yourself a favor...
read his stuff :-) any questions that arise from reading that are welcome here :-)
There is also another function you need pass stuff through if you are going to use it in an <input type=text or <textarea>, what is that function?
htmlentities()
Ben
http://phpsec.org/ it should be ;-)
cheers, Jeffery
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
