On Wed, May 30, 2007 9:55 pm, Jim Lucas wrote:
> Greg Donald wrote:
>> On 5/30/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
>>> You want to use mysql_escape_string, and NOT addslashes and NOT
>>> Magic
>>> Quotes.
>>
>> function slashes( $var )
>> {
>> if( is_array( $var ) )
>> {
>> return array_map( 'slashes', $var );
>> }
>> else
>> {
>> return mysql_real_escape_string( $var );
>> }
>> }
>
> Say I wanted to use this on something other than $_GET, $_POST, &
> $_COOKIE?
>
> Would it not be better practice to do this the other way around?
>
> function slashes ( $var ) {
> if ( is_scalar($var) ) {
> return mysql_real_escape_string( $var );
> } else {
> return array_map( 'slashes', $var );
> }
> }
>
> This way, even if someone passes something that is not an array, but
> still not processable by mysql_real_escape_string(), it won't foul up
> the processor.
>
>>
>> set_magic_quotes_runtime( 0 );
>>
>> if( get_magic_quotes_gpc() == 0 )
>> {
>> $_GET = isset( $_GET )
>> ? array_map( 'slashes', $_GET )
>> : array();
>>
>> $_POST = isset( $_POST )
>> ? array_map( 'slashes', $_POST )
>> : array();
>>
>> $_COOKIE = isset( $_COOKIE )
>> ? array_map( 'slashes', $_COOKIE )
>> : array();
>> }
Well, if it's not a scalar, and it's not an array, and you call
array_map on it, things could get very ugly very fast...
I'm not sure what other datatypes you might try to pass in, that PHP
won't type-juggle to a string when it goes to
mysql_real_escape_string...
Exactly what "other" data are you planning on calling 'slashes' on?
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
