So, if I understand correct mysql_real_escape_string is the way to prevent sql injection. Is there still need (as in both good coding and security) for variable validation at that point? Like a hidden field id that must only be an int? ________________________________________ Van: Dave Goodchild [mailto:buddhamagnet@xxxxxxxxx] Verzonden: maandag 11 september 2006 13:04 Aan: rv@xxxxxxxx CC: php-general@xxxxxxxxxxxxx Onderwerp: Re: does magic_quotes_gpc prevents sql injection through forms? I don't think so. What if magic_quotes_gpc gets turned off or you move to another environment. Best practice is to turn if off (if you can) and so gain fine control over your data. You can either compromise and use a function that checks whether the setting is enabled and either add your own slashes or do nothing. To ensure the best level of control over escaping data before it goes into your db, check out mysql_real_escape_string. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- http://www.web-buddha.co.uk http://www.projectkarma.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
