On Wed, 3 Jul 2002, Jean-Christian Imbeault wrote:
> Erik Price wrote:
>> Turn off magic_quotes and do addslashes() explicitly every time you do
>> a database insert. Then make sure you always stripslash() data
>> returned from a database query.
>>
>> magic_quotes is convenient for newbies, but
>magic_quotes is convenient for newbies, but after a while you'll find it
>only trips you up, as you've discovered.
Odd.
In the 5 years I've been doing PHP, magic quotes has never hurt me in the
least.
It's just more convenient than calling addslashses() all over the place.
And do you really
On Wednesday, July 3, 2002, at 10:21 AM, Jean-Christian Imbeault wrote:
> Security question: Is turning off magic_quotes and using
> strip/addslashes() a 100% effective solution against malicious user
> input?
No.
Think about what {add|strip}slashes() does. It simply adds slashes to
strin
From: "Jean-Christian Imbeault" <[EMAIL PROTECTED]>
> Erik Price wrote:
>
> >
>
> > Turn off magic_quotes and do addslashes() explicitly every time you do a
> > database insert. Then make sure you always stripslash() data returned
> > from a database query.
You don't need to strip slashes from d
Just pick one, and use only one. If you have magic_quotes ON, then you don't
need addslashes, etc.
---John Holmes...
- Original Message -
From: "Jean-Christian Imbeault" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 03, 2002 9:40 AM
Subject: [PHP] addslahes and magic
Erik Price wrote:
>
> Turn off magic_quotes and do addslashes() explicitly every time you do a
> database insert. Then make sure you always stripslash() data returned
> from a database query.
>
> magic_quotes is convenient for newbies, but after a while you'll find it
> only trips you up, a
On Wednesday, July 3, 2002, at 09:40 AM, Jean-Christian Imbeault wrote:
> I am trying to make my PHP safe against malicious data user inputs.
> Reading up on this most people suggest using addslashes(), magic_quotes
> on and other things like mysql_escape_string();
>
> But I have been running
Martin Clifford wrote:
> Try stripslashes() before addslashes(), to ensure that it doesn't
already contain slashes.
>
> HTH
>
> Martin
But what if the original data contained a slash? I want to keep that
slash in the data ...
Jc
--
PHP General Mailing List (http://www.php.net/)
To uns
Try stripslashes() before addslashes(), to ensure that it doesn't already contain
slashes.
HTH
Martin
>>> Jean-Christian Imbeault <[EMAIL PROTECTED]> 07/03/02 09:40AM >>>
I am trying to make my PHP safe against malicious data user inputs.
Reading up on this most people suggest using addslashe
9 matches
Mail list logo
