On Wed, 3 Jul 2002, Jean-Christian Imbeault wrote:
> Erik Price wrote:
>> Turn off magic_quotes and do addslashes() explicitly every time you do
>> a database insert. Then make sure you always stripslash() data
>> returned from a database query.
>>
>> magic_quotes is convenient for newbies, but
>magic_quotes is convenient for newbies, but after a while you'll find it
>only trips you up, as you've discovered.
Odd.
In the 5 years I've been doing PHP, magic quotes has never hurt me in the
least.
It's just more convenient than calling addslashses() all over the place.
And do you really
On Wednesday, July 3, 2002, at 10:21 AM, Jean-Christian Imbeault wrote:
> Security question: Is turning off magic_quotes and using
> strip/addslashes() a 100% effective solution against malicious user
> input?
No.
Think about what {add|strip}slashes() does. It simply adds slashes to
strin
From: "Jean-Christian Imbeault" <[EMAIL PROTECTED]>
> Erik Price wrote:
>
> >
>
> > Turn off magic_quotes and do addslashes() explicitly every time you do a
> > database insert. Then make sure you always stripslash() data returned
> > from a database query.
You don't need to strip slashes from d
Hello Jean-Christian,
The answer is NO NO NO. At the beginning you have talked about
security. You have to realize that there is no 100% protection
against hackers. Using strip/addslashes will help you to filter
some user input not all. :) So try to pick one way and go that
Just pick one, and use only one. If you have magic_quotes ON, then you don't
need addslashes, etc.
---John Holmes...
- Original Message -
From: "Jean-Christian Imbeault" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 03, 2002 9:40 AM
Subject
Erik Price wrote:
>
> Turn off magic_quotes and do addslashes() explicitly every time you do a
> database insert. Then make sure you always stripslash() data returned
> from a database query.
>
> magic_quotes is convenient for newbies, but after a while you'll find it
> only trips you up, a
On Wednesday, July 3, 2002, at 09:40 AM, Jean-Christian Imbeault wrote:
> I am trying to make my PHP safe against malicious data user inputs.
> Reading up on this most people suggest using addslashes(), magic_quotes
> on and other things like mysql_escape_string();
>
> But I have been running
Martin Clifford wrote:
> Try stripslashes() before addslashes(), to ensure that it doesn't
already contain slashes.
>
> HTH
>
> Martin
But what if the original data contained a slash? I want to keep that
slash in the data ...
Jc
--
PHP General Mailing List (http://www.php.net/)
To uns
Try stripslashes() before addslashes(), to ensure that it doesn't already contain
slashes.
HTH
Martin
>>> Jean-Christian Imbeault <[EMAIL PROTECTED]> 07/03/02 09:40AM >>>
I am trying to make my PHP safe against malicious data user inputs.
Reading up on this most people suggest using addslashe
I am trying to make my PHP safe against malicious data user inputs.
Reading up on this most people suggest using addslashes(), magic_quotes
on and other things like mysql_escape_string();
But I have been running into the problem that I mess up the user's input
because I use more then one of th
11 matches
Mail list logo
