|
|
Posted by frizzle on 03/13/06 20:36
Oli Filth wrote:
> ZeldorBlat said the following on 13/03/2006 17:50:
> > _mario.lat@libero.it wrote:
> >> what is userful for: set_magic_quotes_runtime ?
> >> than you in advance,
> >> Mario.
> >
> > According to the manual at <http://www.php.net/magic_quotes>, magic
> > quotes are useful for:
> >
> > o Beginners
> > o Convenience
> >
>
> Unfortunately, in reality, they're useful for neither of these:
>
> * Magic quotes (addslashes()) don't necessarily create correct escape
> sequences for a given DB, e.g. it's incorrect for MS SQL. Therefore,
> it's more sensible to use a specific escape function, e.g.
> mysql_real_esacpe_string() for MySQL.
>
> * On many servers, magic_quotes settings will be off. Therefore, for
> cross-server compatibility, your code will need to detect this situation
> and correct for it, which completely negates any "benefits" of magic
> quotes, and makes your code longer.
>
> * There are plenty of situations where you will want data in an
> unescaped form, so magic_quotes is a pain in the arse.
>
>
> However, I have no idea what the point of magic_quotes_runtime is.
>
>
> --
> Oli
Not sure if it's any help, but on posted data from a form, i use the
following function:
function RawPost( $string )
{
if ( get_magic_quotes_gpc() ) $string = stripslashes( $string );
return $string;
}; // RawPost()
in reality to use $_POST['data'] in a query i'd use it as follows:
mysql_real_escape_string( RawPost( $_POST['data'] ) )
Makes sure you don't end up escaping things multiple times, and keeps
your text clean ...
Frizzle.
Navigation:
[Reply to this message]
|