--- Tariq Murtaza <[EMAIL PROTECTED]> wrote: > Can someone shed some light on how "SQL injection" attack occurs when > *magic_quotes_gpc *is"ON" and how it prevents when its "OFF".
I'm not sure what "it" refers to there. In my opinion, relying on magic_quotes_gpc is very dangerous. In fact, I just remembered a nice online resource that will do a better job explaining this than I can: http://phundamentals.nyphp.org/PH_storingretrieving.php > Secondly why we have to stripslashes while DB (mysql for example) is > doing it for us on execution It is? What database are you using? I think you're making an erroneous assumption. Consider this SQL statement: select * from foo where bar = 'Don't apostrophes screw things up?' What does bar need to be in order for the where clause to match? Where does the SQL statement end? Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
