I do the following way to achieve portability:
For GET/POST/COOKIE variables:
1. check "magic_quotes_gpc" PHP setting - if enabled strip slashes from input
variables using stripslashes()
2. check input/anything
3. prior building SQL query escape stuff (mysql - mysql_real_escape_string(),
others use different escaping methods)
4. run query
For data that comes from SQL sources:
1. check magic_quotes_runtime PHP setting...
On Monday 16 May 2005 10:32, Petzo wrote:
> Hi,
>
> My question is about the norlmal behaviour of PHP and MYSQL but I cant
> explain it without a simple example. Thank you for reading:
>
> I have the following code:
> --------------------------------------------------------------------
> <?php
> print $t = $_POST['txt'];
> print $t = addslashes($t);
>
> @ $db = mysql_pconnect(xxx,xxx,xxx);
> mysql_select_db('test');
>
> $q = "update ttable set ffield='$t'";
> mysql_query($q);
>
> $q = "select * from ttable";
> $result = mysql_query($q);
> $bo = mysql_fetch_array($result);
>
> print $t = $bo['ffield'];
> print $t = stripslashes($t);
> ?>
> --------------------------------------------------------------------
>
>
> from a HTML form I send variable:
> --------------------------------------------------------------------
> ' \ \' \\ \\\
> --------------------------------------------------------------------
>
> after addshashes it becomes:
> --------------------------------------------------------------------
> \' \\ \\\' \\\\ \\\\\\
> --------------------------------------------------------------------
>
> after that it gets in the database
>
> but after I get it out it becomes:
> --------------------------------------------------------------------
> ' \ \' \\ \\\
> --------------------------------------------------------------------
> (without the backslashes!)
>
> and ofcourse after stripslashes it gets messed-up:
> --------------------------------------------------------------------
> ' ' \ \
> --------------------------------------------------------------------
>
> So my question is if this is a normal behaviour for PHP+MYSQL or it may
> vary indifferent conficurations or versions of both php or mysql.
> It's not a bad thing to be like that but I wonder if my code will behave
> the same at most systems.
>
> Thank you very much
--
Best regards,
Bostjan Skufca
system administrator
Domenca d.o.o.
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
