Not all hosts let you alter such things, so you may have to deal with it.
Removing \ from PHP in an HTML page?
- Thread starter Butters
- Start date
Not all hosts let you alter such things, so you may have to deal with it.
still
mysql_real_escape_string is an alternative to addslashes() in that it caters for other characters. addcslashes is another to look at.
turning magic quotes off and not replacing it with something is not recommended - not even by rob if you read his post. all he said was that it's possible. you NEED to escape user input (a rob mantra!) that's going into the database, because if you don't, your site is open for users to run their own mysql queries on your server - not something that you want.
from a visual point of view, yes, magic quotes is a pita - but it's a security measure that needs to be replaced if you disable it
Last edited:
why would i use either of those over mysql_real_escape_string? and given the OP quite clearly has magic quotes on already, why are you recommending addslashes to him? and then having to use stripslashes on the data when outputting it? seems a strange way of doing things to me?
well that goes without saying. i'm not totally insane.
Soldato
- Joined
- 12 Apr 2004
- Posts
- 11,788
- Location
- Somewhere
I certainly am too after reading this thread.
To clear everything up:
Magic Quotes
Either turn them off or remove them at the beginning of each request.
SQL injection
Use mysql_real_escape_string to prevent this (not addslashes). You should sanitise all user input (i.e. $_GET, $_POST and $_COOKIE; some $_SERVER variables are also vulnerable to exploitation) in this way before using it in a query.
Better still, use an abstraction layer, such as ezSQL or MDB2 and let that do the sanitisation for you.
array_map() is busy laughing at you.
PHP isn't my first language ok
1. addslashes is not a substitute for mysql_real_escape_string
2. Best practice is only escape input before using it in a query, so that means no magic quotes
3. Avoid all sorts of headaches by turning magic quotes off/running stripslashes on all your input if it's turned on, then using prepared statements in your SQL.
2. Best practice is only escape input before using it in a query, so that means no magic quotes
3. Avoid all sorts of headaches by turning magic quotes off/running stripslashes on all your input if it's turned on, then using prepared statements in your SQL.
Man of Honour
- Joined
- 31 Jan 2004
- Posts
- 16,338
- Location
- Plymouth
magic_quotes is easily turned off in a .htaccess / php.ini file. The argument that "not all hosts allow it" is strange because no host in their right mind would restrict such simple things.
But it's not :sI said it was an alternative
I think we can safely say there are several ways of protecting your site against SQL injection, and it's up to personal preference. I have heard of all these methods before, and i just chose what was easier for me when i started coding php, and i have used it ever since. Implement a solution of your choice, then do some testing.
This may help you with testing your own server for drop table scripts (etc) and help shed some light on SQL injection so you can make a more informed decision for yourself.
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
This may help you with testing your own server for drop table scripts (etc) and help shed some light on SQL injection so you can make a more informed decision for yourself.
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
ah yes, upon closer inspection is doesn't do as much. addcslashes can be made to emulate its functionality if you need it for whatever reason. oops! teach me to read stuff!