|  | Posted by Marcus on 11/03/05 02:06 
Hello,
 My php.ini file currently has magic quotes set to On, but I have read
 that it is better to code with it off.
 
 Currently with magic quotes on, I only use stripslashes() to properly
 format strings that are displayed on the screen.  I know that now with
 magic quotes off, I will have to manually handle escaping special
 characters with mysql_real_escape_string() or addslashes().
 
 My question is this... from what I can gather on php.net and some other
 sources, mysql_real_escape_string() is better than addslashes(), so am I
 correct in saying that I don't ever need to use addslashes()?
 
 I know I need to use one of these functions when formatting queries to
 MySQL to prevent SQL injection attacks, but how about when I am just
 dealing with variables in $_POST, $_GET, and $_SESSION?  With magic
 quotes on, when I perform a SELECT and a row has a single quote in the
 result, for example, magic quotes will automatically add a \ to the
 value.  Is there any security risk or other drawback in not escaping out
 special characters that I am just working with in the code, and then
 formatting everything right before sending to the database?
 
 Thanks a lot in advance.
  Navigation: [Reply to this message] |