IMHO,
it really depends on a couple of things...
1). how you use it
and 2). How much control you want...
If you have a single point of entry for database actions, like a class
that mimics the database structure and handles updates, inserts,
deletes, then it makes sense to turn them off to give you the control,
as with the single point of entry you can easily add/strip slashes. But
if your design allows for many points of entry it becomes problematic to
make sure you are adding/stripping slashes in all the appropriate areas.
So, I would say that magic_quotes is a tool, it has some limitations,
but can also be helpful. So it really depends on the wielder of the
tool if it should be used or not.
-Brad
Angelo Zanetti wrote:
Hi guys.
I've just read an article that gives a good explanation about escaping
single quote characters with slashes, the author then says that
magic_quotes_gpc can do this for you if enabled on your server, he
then he also mentions how if your magic_quotes_gpc are not turned
on/enabled that you could use addslashes() with the same result and
when retrieving info from the database that we need to use
stripslashes().
All seems hunky dory but then he concludes that magic_quotes_gpc that
they are evil as we have less control over the information we receive.
Which does make sense. So should i avoid magic_quotes_gpc all
together? my local development server has them enabled and when
testing the input of a textfield that does a select query I input
'hello' (including single quotes) and it works really well with the
single quotes escaped. But my live server has them disabled and
therefore the single quotes break the SQL statement. So on my live
server should I enable magic_quotes_gpc or should I use addslashes()
and stripslashes()?
Thanks in advance.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php