Gerard Samuel wrote:
Not really. You check if either one is false, and then you escape. But you don't know where the data come from. The data might be from POST and are already escaped by magic quotes, but magic_quotes_runtime is off, so it's escaped once more.I have a class method that does one thing and one thing only. Escape characters before going to the DB. Part of it is -> if (!get_magic_quotes_gpc()) { $string = pg_escape_string( $string ); }
return "'" . $string . "'";
In everyday get/post operation it seems to work flawlessly.
I've come across a situation where Im parsing an XML file to insert into the DB.
The content needed to be escaped, so I modified the above to ->
if (!get_magic_quotes_gpc() || !get_magic_quotes_runtime())
{
$string = pg_escape_string( $string );
}
return "'" . $string . "'";
And the XML data is escaped correctly for DB insertion.
Now going back to my everyday get/post operation, the code is broken somehow, as content,
that is not normally escaped is escaped, and breaking stuff, like serialized data in the DB.
Is the above code valid for escaping characters in get/post/cookie and external data operation?
So you need to make two class methods, one for escaping gpc variables, another one for escaping runtime variables. Then you only need to check get_magic_quotes_gpc() or get_magic_quotes_runtime() respectively.
Can they be safetly used together as in my example above. (Where if one condition doesn't meet, and the other does, escape characters).
Or there may be something else in my code that is messing things up.
Any pointers/experience would be greatly appreciated. Thanks
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
