|
|
Posted by Oli Filth on 11/01/05 01:49
Pasquale said the following on 31/10/2005 07:00:
> I have set up a registration for an event where captains can input and
> update their team information. I need to allow certain meta characters
> for their team names, such as ?, ', #, (), &.
>
> With magic_quotes_gpc ON I still cannot insert into the database the
> single quote (') within a teamname without using addslashes. I receive a
> mysql error. The PHP manual says not to use addslashes when
> magic_quotes_gpc is ON, but it doen't work unless I do.?
>
Don't user magic quotes, full stop. They're a stupid idea, the PHP
developers have realised this and are slowly trying to dissaude people
from using them:
"It's preferred to code with magic quotes off and to instead escape the
data at runtime, as needed." (PHP manual)
What's more, they aren't actually much good for the job they were
originally intended, safe query construction. If you're using MySQL (you
didn't mention what DB you're using, so I'm taking a guess), use
mysql_real_escape_string() instead.
--
Oli
[Back to original message]
|