Shawn McKenzie wrote:
> tedd wrote:
>>> I think you want to look for magic_quotes_gpc
>> You were right.
>> I'll fix it.
> I normally have a prep4display() and prep4store() type function that do
> all of the sensitization/prep for either storing or displaying. So
> prep4display() has a check for magic_quotes_gpc for which it does
> stripslashes() if they are on and then htmlentities() etc.. and the
> prep4store() can do mysql_real_escape_string() and whatever else.
Well, since this last post didn't make a whole lot of sense I thought
I'd clarify and add a little. So I use the prep4display() in an echo or
when building display output and prep4store() in a query etc.
The addition that I find useful sometimes are clean_from_input() and
clean_for_output() type functions which may use the aforementioned ones.
clean_from_input() you can call like clean_from_input('some_getvar')
and it will check to see if the $_GET var (or more generally $_REQUEST
or $_GET || $_POST) is set and return after stripping slashes if
magic_quotes_gpc is set and whatever else. Then the clean_for_output()
does some stuff for output when you need it. My point is that if you
build a function to retrieve get/post/cookie vars etc, then you can
clean it however you want and also build in the isset() stuff there so
it returns '' or false, etc... and you don't have all kinds of isset()
or !empty() calls in your main code.
So build some general purpose functions or methods that scrub input and
prep output and try and get it to handle as many cases as possible.
Then use those functions.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php