|
Posted by MattMika on 02/23/07 22:51
In the pursuit of better coding practices and security understanding I
just disabled magic_quotes_gpc on our webserver(php-4.3.11,
mysql-4.1.11) and am implementing escaping on GPC data thats used in
queries or written to the DB.
When I execute an insert of $_POST["description"]; with the value
O'Reilly
- without mysql_real_escape_string() I get a SQL syntax error near the
single quote.
- with mysql_real_escape_string() the field is written as O'Reilly in
the db field.
I was under the impression that escaped strings would be written to
the DB like O/'Reilly, but its not.
The manual says:
"Returns the escaped string, or FALSE on error."
So mysql removes the escapes once it determines data to be escaped
properly? I assume for the purpose that you dont have to stripslashes
from queried data? Is this right?
Also, should I worry about escaping all data in GPC or only user input
$_POST and possibly modified $_GET data? For instance, should I escape
$_POST arrays populated by checkboxes? I assume it could be hacked for
injection purposes as well so should be checked.
TIA
Matt Mika
Matt Mika
"These animals evacuate ethyl alcohol from their bowels and carbon dioxide from their urinary organs. Thus, one can observe how a specially lighter fluid is exuded from the anus and rises vertically whereas a stream of carbon dioxide is ejected at very short intervals from enormously long genitales."
Justus Freiherr von Liebig - 1839
[Back to original message]
|