On Thu, 4 Apr 2002, Erik Price wrote:
> I was hoping someone could just clarify something for me -- exactly WHAT 
> is a Get/Post/Cookie operation in this case -- is it just during the 
> uploading of Get/Post/Cookie data from the user agent, or is it also 
> when I am taking a $_POST variable and passing it through a 
> string-altering function, etc?

You're correct, it's just the first time the data enters your program's 
variable space.

Personally, I find magic_quotes_gpc to be an abomination. Maybe for 
kindergarten programs where you're just dumping from a form into a 
database it's a good handholding measure, but if you're trying to do any 
serious validation or post-processing of user-entered data, it's a pain.

I find it much simpler to turn it off, and then just addslashes all 
strings before they go into the database. 

I use a function to build my SQL inserts and updates, that takes an array
of types, values, SQL field names, and field sizes. It does all necessary
data preparation (calls intval on integers, addslashes and substr on
strings, etc.) and then returns a SQL statement with clean data.

With something like that you don't have to try to keep track of 
addslashing and stripslashing all over the place, and you don't have any 
evil-data worries.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to