At 23:34 +0100 1/15/02, Tomas V.V.Cox wrote: >Lukas Smith wrote: >> >> Actually the default is on and even though I do not like them myself I >> think this is what most people develop against. So I guess it might make >> things easier if you keep it on as well. > >I don't think it makes things easy. See what magic_quotes_gpc means:
I don't either. If you're going to check or preprocess your information before inserting it into MySQL (and dumping data received from users straight into MySQL is, er, imprudent), you have to strip the slashes anyway. >quote in the MySQL style all the variables that comes from POST, GET or >COOKIES. So the default php installation blatanly assumes that: "All the >vars you get from forms or cookies will be inserted in a MySQL database >by a user who doesn't take care on quoting data before inserting (or it >will result in duble quoting)", does this make any sense? > >Just for informing people about this: turn off magic_quotes_gpc if you >use placeholders (prepare/execute) with PEAR DB!! > >Tell people that they should take care of quoting data by them selves >and tell them that there is nice mysql_escape_string() func for that. At >least will be kind if the build process could put this directive to Off >if you use --without-mysql and also if more backends are specified. > >> Anyways you can of course make your code aware of this feature and if >> its on or off (get_magic_quotes() ... iirc) . > >That is not always posible as many times you are unable to know if a var >comes from "GPC" untouched or not. It's even worse, because people are >not able to disable magic_quotes_gpc with ini_set() (for people who >doesn't have access to php.ini or .htaccess). > >Just my wishes to see a change on this. > >Tomas V.V.Cox -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
