Posted by Jeffery Fernandez on 02/10/05 14:41

Jochem Maas wrote:

> Ben Edwards (lists) wrote:
>
>> Am I correct in thinking Magic Quotes automatically adds quotes to all
>> posted variables, therefore if you are displaying post variables on a
>> form you have to remove the quotes. They are only needed if you are
>> actually inserting/updating into the database. Whether magic quotes
>> are on or not you do not actually have to do anything to data fetched
>> from the database. If magic quoted are not on you have to add slashes
>> before you add to the database.
>
>
> you get the gist of it.... bare in mind _many_ people including actual
> php
> developers avoid magic_quotes like the plague cos its a PITA.
>
> basically your input to the DB should be properly escaped (there are
> special
> functions for this also, depending on your DB, I use alot of firebird
> and its capable
> of parameterized queries - making it impossible to do SQL injection if
> you use
> the parameterized markup).
>
> AND anything you output to the browser should be sanitized properly as
> well...
> goto phpsc.net and read everything there - its a good/solid
> introduction to
> writing secure php code (e.g. how to combat XSS etc). phpsc.net is
> headed by Chris
> Shiflett - a veritable goldmine of php related knowledge.... do
> yourself a favor...
> read his stuff :-) any questions that arise from reading that are
> welcome here :-)
>
>>
>> There is also another function you need pass stuff through if you are
>> going to use it in an <input type=text or <textarea>, what is that
>> function?
>
>
> htmlentities()
>
>>
>> Ben
>
>
http://phpsec.org/ it should be ;-)

cheers,
Jeffery

[Back to original message]