Angelo Zanetti wrote:
So should i avoid magic_quotes_gpc all together?
In my opinion, yes.
my local development server has them enabled and when testing the input of a textfield that does a select query I input 'hello' (including single quotes) and it works really well with the single quotes escaped. But my live server has them disabled and therefore the single quotes break the SQL statement.
Your live application has an SQL injection vulnerability. This scenario is one of several reasons why magic_quotes_gpc does more to degrade security than promote it. By depending upon it, you have written code that is vulnerable to SQL injection.
Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
