Hi all, PHP does (try) to do something similar - with the magic_quotes_gpc setting ( gpc = "Get, Post, Cookie" ), it automatically adds slashes to strings - for those who don't do PHP:
1) the user enters: O'reilly 2) this data is slashed to O\'reilly and placed into the superglobal array ( i.e. $_POST, $_GET, $_COOKIE) However, this is not a good thing. Yes it does cut down on simple SQL injection attacks as any newbie can pass that straight to the database without breaking a query ( well, for MySQL at least ). But: 1) The incoming data is tainted - it's NOT what the user entered. 2) Experienced developers go out of their way to turn this behavior off, and use an e.g. database specific escaping function like mysql_real_escape_string as it's just so damn annoying. Recently it was proposed that this be removed from the upcoming PHP6 and the PHP internals mailing list received >20 emails in a few days saying "yes please". 3) Trying to explain this to new developers is painful - you can't just say that you need to escape strings (filter. input. always), but you have to a) check if get_magic_quotes_gpc is turned on, b) remove the slashes, c) re-add the slashes using a proper escaping mechanism. Why bother? (see point 4...) 4) Most damningly - it leads to a false complacency ( "that form input is safe & I don't need to do anything to it" ). Any web developer needs to be taught from day one that you filter input and you filter output. Always. My recommendation is not to do this automagically ( that's bad python isn't it? ) but to do something like have a validator where the user specifies (in the view?) that foo should be an integer, bar should be a string and baz should be either x, y, or z. If the incoming input doesn't match, then throw an exception ( which the user can then catch or handle as he/she sees fit ). (sorry for the rant!) --Simon
