From: "Jean-Christian Imbeault" <[EMAIL PROTECTED]> > Erik Price wrote: > > > > > > Turn off magic_quotes and do addslashes() explicitly every time you do a > > database insert. Then make sure you always stripslash() data returned > > from a database query.
You don't need to strip slashes from data coming out of a database. The only reason you add the slashes in the first place is to get the data into the database, the actual slashes don't go into the database. > > > > magic_quotes is convenient for newbies, but after a while you'll find it > > only trips you up, as you've discovered. I haven't discovered this.... > I totally agree. > > Security question: Is turning off magic_quotes and using > strip/addslashes() a 100% effective solution against malicious user input? Nothing's 100%, of course. It will make sure that your strings are treated properly, but slashes don't do anything for integers. If you have a query like: UPDATE admin SET something = 'this' where user_id = $user_id Then using addslashes doesn't help you at all because $user_id doesn't have quotes around it. Since it's supposed to be an integer, it shouldn't have quotes, but you need to validate that $user_id is indeed an integer without any other data in it, otherwise you're open to SQL attacks. Bottom line, validate everything from the user. POST, GET, COOKIE, etc... If it's supposed to be a number, make it a number with (int). If it's supposed to be a string, make sure it's had addslashes() applies to it, either through magic_quotes or manually...etc, etc, etc... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
