|
|
Posted by Marcus on 11/03/05 02:06
Hello,
My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.
Currently with magic quotes on, I only use stripslashes() to properly
format strings that are displayed on the screen. I know that now with
magic quotes off, I will have to manually handle escaping special
characters with mysql_real_escape_string() or addslashes().
My question is this... from what I can gather on php.net and some other
sources, mysql_real_escape_string() is better than addslashes(), so am I
correct in saying that I don't ever need to use addslashes()?
I know I need to use one of these functions when formatting queries to
MySQL to prevent SQL injection attacks, but how about when I am just
dealing with variables in $_POST, $_GET, and $_SESSION? With magic
quotes on, when I perform a SELECT and a row has a single quote in the
result, for example, magic quotes will automatically add a \ to the
value. Is there any security risk or other drawback in not escaping out
special characters that I am just working with in the code, and then
formatting everything right before sending to the database?
Thanks a lot in advance.
Navigation:
[Reply to this message]
|