On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me: The fact that it uses the character set of your current connection to MySQL means that what your escaping function considers to be a single quote is exactly what your database considers to be a single quote. If these things don't match, your escaping function can miss something that your database interprets, opening you up to an SQL injection attack.
Under the following pre-conditions: 1. C Locale / English in MySQL data 2. No intention to ever switch natural language, nor database.
is there any real benefit to spending man hours I really can't afford for legacy code to switch from Magic Quotes to mysql_real_escape_string -- and make no mistake, it would be a TON of man hours.
It will take less than five minutes to write a recursive function that will stripslashes() all incoming variables and use mysql_real_escape_string() instead.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
