|
|
Posted by Richard Lynch on 05/13/05 02:42
On Thu, May 12, 2005 1:44 am, Kim Madsen said:
>> -----Original Message-----
>> From: Richard Lynch [mailto:ceo@l-i-e.com]
>> Sent: Thursday, May 12, 2005 8:47 AM
>
>> I'd bet a dollar that if the MySQL C Client library changed what needs
>> escaping, addslashes would change with it.
>
> Ehhh? I think not. Let´s let a mindgame (can´t spell hypo..whatever :-)
> and say that the MySQL folk figures out they wanna use the same way for
> escaping as PostgreSQL, then addslashes() would add ' ? The whole idea of
> nameconvention is gone then :-)
>
> But I do agree with You, need to hear *WHY* the mysql_real_escape_string()
> is better (and a so fu****' long word :)
>
>> What problem do you think addslashes() was written to solve?
>
> For those who has magic qoutes off? I still can figure out why some people
> hate that setting so much? Though one´s not safe with only magic quotes,
> addslashes() are needed too...
Kim, I'm sorry, but it's blatantly clear that you don't understand Magic
Quotes and addslashes()
Magic Quotes calls addslashes() automatically on data coming from
GET/POST/COOKIE. (And maybe from other sources, depending on php.ini)
It's that simple.
You would NEVER use both Magic Quotes and addslashes() on the same chunk
of data.
That would just escape the escape characters and screw up your data, so
you'd need to use stripslashes() on all data coming *OUT* of the database,
to un-do the second addslashes() you called on the data you never should
have called it on in the first place.
Which is not to say I haven't seen a few zillion newbies, and even
journey-man scripts do this, as the programmers incorrectly believed
that's what they needed to do.
I'm almost certain that both addslashes() and Magic Quotes were designed,
from the get-go, to escape data being sent to mSQL/MySQL, but I'm waiting
to hear from, say, Rasmus, that that's true. Wanna bet money on it? I
got a dollar.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|