Hi Mark,
> > It's nice in that it adds to how secure PHP code is, but it can be a
> hassle.
>
> Out of curiousity, what are the security implications? Presumably a
failure
> to validate input properly leading to unintended actions, but I can't
think
> of any examples to help me decide whether to turn this off.
Most default to set magic_quotes_gpc on - otherwise, to safeguard against
(amongst many other things) mysql or other database errors, all fields that
aren't integers would have to have addslashes() applied to them. Try
entering a string like this:
$string = "<a href=\"http://www.php.net\";>PHP</a>";
$string = stripslashes($string);
$insert = @mysql_query("INSERT INTO table (string) VALUES ('$string')")
or die (mysql_error());
And see how fast you run into errors ;)
James.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
