Re: Magic quotes good or Bad?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Angelo Zanetti wrote:
Hi guys.

I've just read an article that gives a good explanation about escaping single quote characters with slashes, the author then says that magic_quotes_gpc can do this for you if enabled on your server, he then he also mentions how if your magic_quotes_gpc are not turned on/enabled that you could use addslashes() with the same result and when retrieving info from the database that we need to use stripslashes().

The 'author' is an idiot

All seems hunky dory but then he concludes that magic_quotes_gpc that they are evil as we have less control over the information we receive. Which does make sense. So should i avoid magic_quotes_gpc all together?

Yes

my local development server has them enabled and when testing the input of a textfield that does a select query I input 'hello' (including single quotes) and it works really well with the single quotes escaped. But my live server has them disabled and therefore the single quotes break the SQL statement. So on my live server should I enable magic_quotes_gpc or should I use addslashes() and stripslashes()?

No. Disable magic_quotes on both boxes. If your db is MySQL, use mysql_real_escape_string(). Otherwise look into writing a routine that will escape the proper characters for your db.

--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux