Posted by Oli Filth on 09/09/05 19:05
Geoff Berrow said the following on 09/09/2005 13:10:
> I noticed that Message-ID: <43216bc2$1@news1.homechoice.co.uk> from
> elyob contained the following:
>
>
>>Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
>>seem to remember one of the main PHP developers writing that magic quotes is
>>stupid and should be dropped.
>
>
> You only need to url encode data that is going in a URL (duh...).
>
> And don't forget that your database security is now down to you in this
> and all future projects.
Yes, I'll echo that sentiment.
>
> (you could have just used stripslashes() )
IMO, using mysql_real_escape_string() once to put a value into a SELECT
query is far less annoying than having to use stripslashes() all over
the place...
Furthermore, magic quotes don't escape all the necessary characters to
make a string safe for SQL.
--
Oli
[Back to original message]
|