Angelo Zanetti wrote:
Hi guys.
I've just read an article that gives a good explanation about escaping
single quote characters with slashes, the author then says that
magic_quotes_gpc can do this for you if enabled on your server, he then
he also mentions how if your magic_quotes_gpc are not turned on/enabled
that you could use addslashes() with the same result and when retrieving
info from the database that we need to use stripslashes().
The 'author' is an idiot
All seems hunky dory but then he concludes that magic_quotes_gpc that
they are evil as we have less control over the information we receive.
Which does make sense. So should i avoid magic_quotes_gpc all together?
Yes
my local development server has them enabled and when testing the input
of a textfield that does a select query I input 'hello' (including
single quotes) and it works really well with the single quotes escaped.
But my live server has them disabled and therefore the single quotes
break the SQL statement. So on my live server should I enable
magic_quotes_gpc or should I use addslashes() and stripslashes()?
No. Disable magic_quotes on both boxes. If your db is MySQL, use
mysql_real_escape_string(). Otherwise look into writing a routine that
will escape the proper characters for your db.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
