|
|
Posted by Jerry Stuckle on 05/09/06 14:18
Drakazz wrote:
> What about removing the backslashes from _GET/_POST/_COOKIE/_REQUEST
> and making it a real raw variable instead of "cleaning" it.
> Only "clean" things when they are in an SQL query, and you do
> addslashes() with the variable. This saves you time and the magic
> quotes are unessecarily in the first place (where people don't know how
> to protect self from SQL injection)...
>
> Take this for a good example:
> http://de2.php.net/manual/en/function.stripslashes.php#60786
> Initialize it at the start and then work with that. I am aware of the
> "double" usage but I am also aware that you sometimes can get beaten by
> the magic quotes ;] (so do it now, now later!)
>
I wouldn't call it a *good* example. Just someone asking about how to do
something and some suggestions.
Like William, I leave $_GET, $_POST, etc. strictly alone. If I need to clean a
value, I clean it and save it in another variable.
And you shouldn't be using add_slashes() with MySQL - you should be using
mysql_real_escape_string().
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|