On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote: > Ben Edwards (lists) wrote: > > Am I correct in thinking Magic Quotes automatically adds quotes to all > > posted variables, therefore if you are displaying post variables on a > > form you have to remove the quotes. They are only needed if you are > > actually inserting/updating into the database. Whether magic quotes > > are on or not you do not actually have to do anything to data fetched > > from the database. If magic quoted are not on you have to add slashes > > before you add to the database. > > you get the gist of it.... bare in mind _many_ people including actual php > developers avoid magic_quotes like the plague cos its a PITA. Yes, it seems like they were invented by the Powers of Darkness ;). I think I am going to put stuff in my common code that is run on at the beginning of every page to remove magic quotes from $_REQUEST, and run all data being put into the database through addslashes first. I can see it is only any to trivial pages where you are taking user input and putting it stright into the database with out validation or re-displaying it. There for it is useless. Regards, Ben > basically your input to the DB should be properly escaped (there are special > functions for this also, depending on your DB, I use alot of firebird and its capable > of parameterized queries - making it impossible to do SQL injection if you use > the parameterized markup). > > AND anything you output to the browser should be sanitized properly as well... > goto phpsc.net and read everything there - its a good/solid introduction to > writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris > Shiflett - a veritable goldmine of php related knowledge.... do yourself a favor... > read his stuff :-) any questions that arise from reading that are welcome here :-) > > > > > There is also another function you need pass stuff through if you are > > going to use it in an <input type=text or <textarea>, what is that > > function? > > htmlentities() > > > > > Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct)
Attachment:
signature.asc
Description: This is a digitally signed message part
