> On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]> > wrote: >> I have a question about this. Here is from the documentation: >> >> The PHP directive magic_quotes_gpc is on by default, and it >> essentially runs addslashes() on all GET, POST, and COOKIE data. >> >> Why doesn't this automatically prevent injections, since it escapes out >> any single quotes they try to submit? >> > > magic_quotes_gpc *should* fix all SQL injection attacks that come > straight from $_GET, $_POST, and $_COOKIE, but it won't fix it from > other places, such as in the DB or a session. In addition, if you use > those $_GET, $_POST, or $_COOKIE values for other things, such as > putting values back in a form or in HTML, you *will* get extra > backslashes behind quotes. Basically you're looking at running > removeslashes() on all places you use thos evalues except for SQL. The > proper way to handle this is to turn off magic quotes and do whatever > escaping your code needs *when it needs it*. For MySQL, use > mysql_real_escape_string() (or addslashes() if you must). For HTML, > use htmlentities(). etc. >
On top of that, the fact that you can turn it off creates different PHP environments between different servers. So now programmers are forced to check that magic_quotes_gpc is on each time and take appropriate action when it's off. I think a good programming habit it to treat it as if it were off. --Matthew Sims --<http://killermookie.org> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
