On Mon, June 4, 2007 9:02 am, Dave M G wrote:
> I've read on the manual that it's "preferred to code with magic quotes
> off and to instead escape the data at runtime, as needed":
>
> Recently, while configuring my PHP so as to install the GD libraries,
> that the default option was to have magic quotes turned on.
What version of PHP did you install?...
I'm pretty sure they turned MQ off by default in PHP5...
> I just want to double check here what to do. Should I disable magic
> quotes on my server?
YES!
Turn the dang thing off!
> Also, I'm developing code that I hope others can use. For the purposes
> of portability, is it safe to assume that most environments will have
> magic quotes off, and build for that?
Nope.
Use something not unlike:
if (ini_get('magic_quotes_gpc')){
array_map('stripslashes', $_GET);
array_map('stripslashes', $_POST);
array_map('stripslashes', $_COOKIE);
array_map('stripslashes', $_REQUEST);
}
> So I should disable magic quotes on my testing environment and do my
> own
> escaping?
Yes.
The issue is that you want to FILTER and VALIDATE before you ESCAPE,
and you only want to ESCAPE the data actually going into the DB, and
use the correct escape function for that DB.
> While I'm asking about escaping, is converting characters like
> apostrophes and ampersands to hex characters before storing them in a
> MySQL database a safe way to go?
Don't try to roll your own. Use mysql_real_escape_string
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
