On Monday 07 August 2006 19:39, Peter Lauri wrote: > [snip]My guess: magic_quotes_gpc is enabled where you're running the > script. Therefore slashes are already present in the data from the form > post.[/snip] > > Should I turn it off? Adding slashes and mysql_real_escape_string is not > exactly the same thing, correct? > > /Peter As standard procedure, you should disable magic quotes and register globals on any PHP install, just on principle. Both are very old ideas intended to make life easier and more secure for people who didn't know what they were doing but ended up causing more trouble than they were worth. Both are now to be avoided. And no, addslashes() and mysql_real_escape_string() are not the same thing. addslashes() just dumbly escapes quotes with backslashes. mysql_real_escape_string() does real string escaping according to MySQL's locale settings and various other rules, including escaping quotes as appropriate. -- Larry Garfield AIM: LOLG42 larry@xxxxxxxxxxxxxxxx ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
