Re: Double checking - I should turn off "magic quotes"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert ,

Thank you for your quick reply.

If it's okay, I'd just like to clarify the points you raise.
I just want to double check here what to do. Should I disable magic quotes on my server? 

Not unless you're certain you don't have any script that rely on magic
quotes. If you do, then they will become open security holes.
The only scripts I have are the ones I put there myself. So if I conform to the no magic quotes standard, then I should be safe, right?
Also, I'm developing code that I hope others can use. For the purposes of portability, is it safe to assume that most environments will have magic quotes off, and build for that? 

No, you should check the ini setting in your code and react accordingly.
Sorry, I don't quite follow you here. If I turn magic quotes off on both my testing environment and my server, as is "preferable" according to the manual, then my ini file will conform to that.
But I don't see how that relates to the portability of the code. As much as possible, I'd like to have others be able to run my scripts with minimum hassle.
If I make my development environment and my own web hosting server conform to the "preferable" set up, but most servers default to having magic quotes on, then won't my code break on most people's servers?
So I should disable magic quotes on my testing environment and do my own escaping? 

Yes.
Okay... but I'm still confused as to how this impacts the potential for my code's portability as described above.
While I'm asking about escaping, is converting characters like apostrophes and ampersands to hex characters before storing them in a MySQL database a safe way to go? 

No, use the proper escaping mechanism offered for your particular
database.
Since my database is MySQL, does that mean using addslashes() and stripslashes()? In other words manually doing what magic quotes was doing automatically?
Just for my own education, is it insecure to use hex codes to store apostophes and other special characters in the case of MySQL? Can someone inject a workable MySQL command into my database if all apostrophes and other non-alphanumeric characters are converted to hex? 

--
Dave M G
Ubuntu Feisty 7.04
Kernel 2.6.20-15-386

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux