I believe the escaping only occurs at the time GET/POST/COOKIE data is
brought into the PHP namespace from the server. I recommend you don't
removing escapes from a security standpoint. Do a search on "SQL injection"
to find info on how crackers can mess with you when data from the client is
not escaped. If you do choose to remove the escapes, be certain to really
tighten down your input validation before writing any of the user input to a


> -----Original Message-----
> From: Erik Price [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 04, 2002 11:50 AM
> Subject: [PHP] clarification on magic quotes
> The following quote is from
> http://www.php.net/manual/en/configuration.php#ini.magic-quotes-gpc
> """
> magic_quotes_gpc boolean
> Sets the magic_quotes state for GPC (Get/Post/Cookie) 
> operations. When 
> magic_quotes are on, all ' (single-quote), " (double quote), \ 
> (backslash) and NUL's are escaped with a backslash automatically. If 
> magic_quotes_sybase is also on, a single-quote is escaped with a 
> single-quote instead of a backslash.
> """
> I was hoping someone could just clarify something for me -- 
> exactly WHAT 
> is a Get/Post/Cookie operation in this case -- is it just during the 
> uploading of Get/Post/Cookie data from the user agent, or is it also 
> when I am taking a $_POST variable and passing it through a 
> string-altering function, etc?
> I have a MySQL DB on the other side of my PHP scripts from 
> the user, and 
> am trying to decide whether or not I should stripslash() the 
> data before 
> entering it into the DB.  This would defeat the purpose, but 
> otherwise I 
> end up with columns with values like "Mike\'s Pleasure Hut" or "Jean 
> D\'Arc", and this will make queries tricky in the future.
> Thank you for your advice.
> Erik
> ----
> Erik Price
> Web Developer Temp
> Media Lab, H.H. Brown
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to