> So, > > 1. turn ON runtime and gpc No, leave them off if your code runs fine without them. You'll save resources if you do the addslashes() yourself to only the fields that need it instead of everything. I see no reason at all to ever have runtime ON. It will escape data coming _from_ the database so then you'd have to stripslash() it to display it. Waste of time if you ask me.
> 2. only addslashes() when inserting into the database IF > get_magic_quotes_runtime() is 0 (false) No... use addslashes() if get_magic_quotes_gpc is 0 (false). When it's off, it means incoming GET, POST, and COOKIE data will not have quotes escaped. Use addslashes() on the data that needs it before you insert it into the database. > 3. only stripslashes() when retrieving from the database IF > get_magic_quotes_runtime() is 0 (false) No. You'll need to stripslashes() data coming from your database when get_magic_quotes_runtime() is 1 (true). If it's off, the data coming from the database should not have any slashes in it at all. If it does, like Phillip said, then you're running addslashes() twice somehow. If you look at the raw data inside your database and see values like "It\'s" then you're running addslashes() twice somehow. With magic_quotes_runtime enabled (true, 1) then data such as "It's" in the database will be returned to your script as "It\'s". > Right so far? I think you struck out. :) > Then I need to know how to fix up possible mistakes in the past. > What should I do to the current data in multiple tables which may or may > not > have had the addslashes() "done twice". Any one got some cool code??? You should just be able to do an UPDATE for each column and use REPLACE to change \' to just ' (and the same for double quotes, if necessary). You'll have to do it for each column in each table that's affected, though... You could write a little PHP script to do it for you. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
