On Thu, 16 Oct 2003, Jon Kriek wrote:

> I concur, assign the superglobal array to a variable ...
>
> $Name = strip_slashes($_POST['elementName']);
> $sql="INSERT INTO $table SET Name='$Name'"];
>
> ... and then use that opportunity to run additional checks on the content.

 Again, waste of variable space, and makes what you are doing less
 readable.  You also don't want to strip slashes most likely.  If you have
 magic_quotes turned on, PHP will automatically backslash any escaped
 characters (', /, some others), so you don't need to use addslashes on
 that variable.  If it is not turned on, you will need to addslashes on
 your post variable.

 magic_quotes turned on
 You don't know "me"! => $_POST['elementName'] == You don\'t know \"me\"!

 Turned off
 You don't know "me"! => $_POST['elementName'] == You don't know "me"!

 If you don't addslashes when magic_quotes are turned off, your select will
 fail, as the string will end at the first set of quotes (just after "know
 ").

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
[EMAIL PROTECTED]                             http://www.purplecow.com/
---------------------------------------------------------------------------

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to