On Mon, 2007-06-04 at 23:02 +0900, Dave M G wrote: > PHP General, > > I've read on the manual that it's "preferred to code with magic quotes > off and to instead escape the data at runtime, as needed": Indeed this is preferable. > Recently, while configuring my PHP so as to install the GD libraries, > that the default option was to have magic quotes turned on. That's because there's a lot of bad scripts out there. > I just want to double check here what to do. Should I disable magic > quotes on my server? Not unless you're certain you don't have any script that rely on magic quotes. If you do, then they will become open security holes. > Also, I'm developing code that I hope others can use. For the purposes > of portability, is it safe to assume that most environments will have > magic quotes off, and build for that? No, you should check the ini setting in your code and react accordingly. > So I should disable magic quotes on my testing environment and do my own > escaping? Yes. > While I'm asking about escaping, is converting characters like > apostrophes and ampersands to hex characters before storing them in a > MySQL database a safe way to go? No, use the proper escaping mechanism offered for your particular database. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
