Posted by Pedro Graca on 11/19/06 16:17

Jerry Stuckle wrote:
> Andrew C wrote:
>>
>> In their example, wouldn't magic quotes be sufficient to thwart the attack?
>>
>
> First of all, magic_quotes is bad. It changes the data without the
> user's knowledge. Even worse, it can be turned on or off - either
> breaking scripts or requiring extra gyrations to handle either on or off.
>
> Second, mysql_real_escape_string() is a mysql function sensitive to the
> charset in use in the table. It is also designed specifically for
> inserting into/updating a MySQL database. magic_quotes is a generic
> function, not sensitive to character sets.

Third, magic_quotes will be taken away from PHP6.
http://www.corephp.co.uk/archives/19-Prepare-for-PHP-6.html

--
I (almost) never check the dodgeit address.
If you *really* need to mail me, use the address in the Reply-To
header with a message in *plain* *text* *without* *attachments*.

[Back to original message]