Hi.
I'm wondering whether with mysqli_real_escape_string I've to
check the get_magic_quotes_gpc() value .
I mean a think like this:
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
Bye.Magic quotes are a bug, therefore I recommend
if (ini_get('magic_quotes_gpc')) {
throw new Exception("Magic quotes are a bug and should never be enabled");
}
At the top of every page (or rather, in a common include file, say where you connect to the db)
Markcould you explain why you think it`s a bug? i would like to know.could you explain why you think it`s a bug? i would like to know.
This explains the pitfalls of majic-quotes
<!-- m --><a class="postlink" href="http://www.webmasterstop.com/63.html">http://www.webmasterstop.com/63.html</a><!-- m -->
However, contrary to what the site suggests, one should use mysqli_real_escape_string instead of addslashes. Better yet, use prepared statements and the problem goes away completely.The page ahundiak refers to explains it quite nicely.
Quite simply:
- magic_quotes escapes data incorrectly in most cases (It ONLY handles a poor subset of cases where you need escape it in a database, not ANY other escaping scenario)
- magic_quotes escapes data even if they didn't need escaping
- magic_quotes escapes data at the wrong time
MarkIt's going away in PHP 6 as well, so if you put it in you'll have to take it out again fairly soon, anyway.Thanks so much buddies.
To sum it up:
I've to use a .htaccess file
in my web root.
<IfModule mod_php4.c>
php_flag magic_quotes_gpc off
</IfModule>
or
php_flag magic_quotes_gpc off
By the way is the syntax right ?
and for PHP5 ?
In my script I can simple use
$mysqli->real_escape_string.
Have I got it right ?
Bye.You don't really need the IfModule as long as you know php is loaded.
And turn register_globals off as well while you are at it.@ahundiak
Better yet, use prepared statements and the problem goes away completely.
Could you give me an example ?
Thanks in advance
Bye.<!-- m --><a class="postlink" href="http://www.php.net/manual/en/ref.pdo.php">http://www.php.net/manual/en/ref.pdo.php</a><!-- m -->
Scroll down and look at the section on Prepared Statements
Thanks.
Take care.
I'm wondering whether with mysqli_real_escape_string I've to
check the get_magic_quotes_gpc() value .
I mean a think like this:
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
Bye.Magic quotes are a bug, therefore I recommend
if (ini_get('magic_quotes_gpc')) {
throw new Exception("Magic quotes are a bug and should never be enabled");
}
At the top of every page (or rather, in a common include file, say where you connect to the db)
Markcould you explain why you think it`s a bug? i would like to know.could you explain why you think it`s a bug? i would like to know.
This explains the pitfalls of majic-quotes
<!-- m --><a class="postlink" href="http://www.webmasterstop.com/63.html">http://www.webmasterstop.com/63.html</a><!-- m -->
However, contrary to what the site suggests, one should use mysqli_real_escape_string instead of addslashes. Better yet, use prepared statements and the problem goes away completely.The page ahundiak refers to explains it quite nicely.
Quite simply:
- magic_quotes escapes data incorrectly in most cases (It ONLY handles a poor subset of cases where you need escape it in a database, not ANY other escaping scenario)
- magic_quotes escapes data even if they didn't need escaping
- magic_quotes escapes data at the wrong time
MarkIt's going away in PHP 6 as well, so if you put it in you'll have to take it out again fairly soon, anyway.Thanks so much buddies.
To sum it up:
I've to use a .htaccess file
in my web root.
<IfModule mod_php4.c>
php_flag magic_quotes_gpc off
</IfModule>
or
php_flag magic_quotes_gpc off
By the way is the syntax right ?
and for PHP5 ?
In my script I can simple use
$mysqli->real_escape_string.
Have I got it right ?
Bye.You don't really need the IfModule as long as you know php is loaded.
And turn register_globals off as well while you are at it.@ahundiak
Better yet, use prepared statements and the problem goes away completely.
Could you give me an example ?
Thanks in advance
Bye.<!-- m --><a class="postlink" href="http://www.php.net/manual/en/ref.pdo.php">http://www.php.net/manual/en/ref.pdo.php</a><!-- m -->
Scroll down and look at the section on Prepared Statements
Thanks.
Take care.