Posted by Andrew C on 11/20/06 07:49

"Pedro Graca" <hexkid@dodgeit.com> wrote in message
news:slrnem0u0b.38r.hexkid@ID-203069.user.individual.net...
> Jerry Stuckle wrote:
>> Andrew C wrote:
>>>
>>> In their example, wouldn't magic quotes be sufficient to thwart the
>>> attack?
>>>
>>
>> First of all, magic_quotes is bad. It changes the data without the
>> user's knowledge. Even worse, it can be turned on or off - either
>> breaking scripts or requiring extra gyrations to handle either on or off.
>>
>> Second, mysql_real_escape_string() is a mysql function sensitive to the
>> charset in use in the table. It is also designed specifically for
>> inserting into/updating a MySQL database. magic_quotes is a generic
>> function, not sensitive to character sets.
>
> Third, magic_quotes will be taken away from PHP6.
> http://www.corephp.co.uk/archives/19-Prepare-for-PHP-6.html

Thanks to you both for the points of view and the link.

A.

• Next in forum: Re: $this variable help.
• Prev in forum: Re: ok i decided to take Erwin Moller and start a fresh topic and im taking a different approach
• Thread view: Re: PHP and MySql

[Reply to this message]