On 01/24/2013 09:23 AM, Jim Giner wrote:
On 1/24/2013 12:05 PM, Matt Pelmear wrote:
http://stackoverflow.com/questions/5801951/does-php-auto-escapes-quotes-in-string-which-is-passed-by-get-or-post
Every pro has this feature (magic_quotes_gpc) turned off. If you
understand SQL Injection vulnerabilities, and properly bind things into
your queries, I would recommend disabling it.
-Matt
On 01/24/2013 08:55 AM, Jim Giner wrote:
ok - new to using pdo functions, but I thought I had a handle on it.
I'm writing out to my page an input tag with the following value in it:
49'ers
I can confirm it by using my browser's "view source" to see that is
exactly how it exists in the page.
When I hit a submit button and my script retrieves the 'post' vars my
debugging steps are showing that the var $_POST['team'] contains the
above value with a backslash (\) already inserted. This is causing me
a problem when I then try to use pdo->quote to safely encode it for
updating my sql database.
My question is - why does the POST var show the \ char before I
execute the 'quote' function?
You're right! But I must not understand something.
My root folder has a php.ini file with the magic quotes set off.
Doesn't that carry on down to folders beneath it?
I would check phpinfo() to see if it is being overridden.
-Matt
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php