On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]> wrote: > I have a question about this. Here is from the documentation: > > The PHP directive magic_quotes_gpc is on by default, and it > essentially runs addslashes() on all GET, POST, and COOKIE data. > > Why doesn't this automatically prevent injections, since it escapes out > any single quotes they try to submit? >
magic_quotes_gpc *should* fix all SQL injection attacks that come straight from $_GET, $_POST, and $_COOKIE, but it won't fix it from other places, such as in the DB or a session. In addition, if you use those $_GET, $_POST, or $_COOKIE values for other things, such as putting values back in a form or in HTML, you *will* get extra backslashes behind quotes. Basically you're looking at running removeslashes() on all places you use thos evalues except for SQL. The proper way to handle this is to turn off magic quotes and do whatever escaping your code needs *when it needs it*. For MySQL, use mysql_real_escape_string() (or addslashes() if you must). For HTML, use htmlentities(). etc. -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
