can I know when does the magic_quotes_gpc start adding slashes and stripping slashes?

I removed my EscapeShellCmd and my data is inserted and retrieved from the database 
just as i wanted. The problem now comes when I retrieve that data and immediately 
inserted them into another table.. then I get a MySQL error 1064 whenever my value has 
a single-quote in it.

for example,
$query1 = "select * from table where condition";

if(!($result1 = mysql_query($query1)))
  echo SQLError();

$var = mysql_fetch_array($result1);

$query2 = "insert into table2 set col1='".$var["col1"]."', col2='".$var["col2"]."', 
col3='".$var["col3"]."' etc...";

if(!($result2 = mysql_query($query2)))
  echo SQLError();

$query1 works perfectly fine of course.. but $query2 gives me error:
MySQL error: 1064 : You have an error in your SQL syntax near 's Good!', col2 = 'YES', 
' at line 15 (# 256).

the value retrieved from the database is: It's Good! 

what happened?!


----- Original Message ----- 

> Ng Hwee Hwee wrote:
> > just a quick question.. does it mean, i don't have to worry that my user may
> > type any commands in my text field that may hurt my system since
> > magic_quotes_gpc is on?
> Heh...of course not. :) All magic_quotes is going to do for you is 
> escape quotes within your text. This will help with database queries but 
> not much else. You still need to be validating your data...
> -- 
> ---John Holmes...

Reply via email to