On Thu, 16 Oct 2003, Jon Kriek wrote:
> I concur, assign the superglobal array to a variable ...
>
> $Name = strip_slashes($_POST['elementName']);
> $sql="INSERT INTO $table SET Name='$Name'"];
>
> ... and then use that opportunity to run additional checks on the content.
Again, waste of variable space, and makes what you are doing less
readable. You also don't want to strip slashes most likely. If you have
magic_quotes turned on, PHP will automatically backslash any escaped
characters (', /, some others), so you don't need to use addslashes on
that variable. If it is not turned on, you will need to addslashes on
your post variable.
magic_quotes turned on
You don't know "me"! => $_POST['elementName'] == You don\'t know \"me\"!
Turned off
You don't know "me"! => $_POST['elementName'] == You don't know "me"!
If you don't addslashes when magic_quotes are turned off, your select will
fail, as the string will end at the first set of quotes (just after "know
").
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@purplecow.com http://www.purplecow.com/
---------------------------------------------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
