Posted by Oli Filth on 11/06/05 01:35

Cameri said the following on 05/11/2005 21:57:
> If you use On, PHP will automatically escape single and double quotes,
> backslashes and null characters, you'll have to use stripslashes() if
> you want the original string. This reduces efficiency because, you
> don't always need to escape every single string, but in the other hand,
> protects you a bit more from SQL injection.

Except, of course, that if you want your script to be portable, then
you'll have to manually test for magic_quotes_gpc setting, and if it's
"Off", then you'll have to manually escape anyway.

And, of course, the fact that it doesn't really help that much against
SQL injection, because escape syntax varies between SQL variants. The
results of magic_quotes aren't strictly correct for MySQL, and not at
all correct for MS SQL Server nor PostgreSQL.


--
Oli

• Next in forum: Re: back slashes and preg_replace's e modifier
• Prev in forum: Re: back slashes and preg_replace's e modifier
• Thread view: Re: magic_quotes_gpc ?

[Reply to this message]