It may escape a quote, but injections would still be possible in other ways.
It gets passed in as \' but then used normally as ' when it's the the variable. -Josh On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]> wrote: > I have a question about this. Here is from the documentation: > > The PHP directive magic_quotes_gpc is on by default, and it > essentially runs addslashes() on all GET, POST, and COOKIE data. > > Why doesn't this automatically prevent injections, since it escapes out > any single quotes they try to submit? > > - Brian > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
