Posted by shimmyshack on 03/23/07 23:24

On Mar 23, 10:33 pm, "Simon Harris" <too-much-s...@makes-you-fat.com>
wrote:
> > It's weird... if magic_quotes_runtime were on, that would be the cause.
> > But if its off, I suppose that when you insert data into mysql using
> > mysql_real_escape_string(), it's in fact quoted twice before inserting.
>
> > Maybe you're inserting data that comes from GET/POST?
> > If so, check also magic_quotes_gpc directive.
>
> magic_quotes_gpc is on, and yes I am inserting data from a POST.
>
> I take it from this there is a conflict when using
> mysql_real_escape_string() together with magic_quotes_gpc, as I understand
> it, my POST data is effectivley being double escaped?
>
> I wish I could rememeber why I started using mysql_real_escape_string() in
> the first place - There was something that wasn't working, but perhaps I
> mis-diagnosed it, although mysql_real_escape_string() fixed the issue!

don't stop, it is the preferred, recommended, and the only real way to
escape data to prevent sql injection, fix whatever is conflicting with
it. Magic stuff is a pain and useless at preventing sql injection, get
rid of it, and do what you have to - never rely on magic this and
fancy that, code well and leave all that old stuff out.


>
> Thank you for your help - I will stop using mysql_real_escape_string() for
> now and wait for the issue to reappear, then have a re-think. Although If I
> am wrong in what I have posted above...Please do let me know!
>
> Simon.
>
> --------------------------------------------------------------------------------
> I am using the free version of SPAMfighter for private users.
> It has removed 5822 spam emails to date.
> Paying users do not have this message in their emails.
> Try SPAMfighter for free now!

[Back to original message]