The only data returned by a browser in a "Cookie" header is the name/value pairs. So, your example would not pose a threat of any sort. The "Referer" and "User-Agent" are separate headers, but like all data from the client, they should also not be trusted.
If you have magic quotes enabled, you're probably safe. It is actually best not to just addslashes() again "to be sure" for any data. Rather, echo the value of your data to the screen during development, and test to be sure that your single quotes are escaped like you think they should be. Chris 1LT John W. Holmes wrote: >Yeah, magic_quotes will be enough, but it only handles GET, POST, and COOKIE >data. I'm not sure what SERVER variables can be trusted, so it wouldn't hurt >to addslash them... > >There isn't much of a risk to your query, but someone could still mess >things up. If they formatted a cookie like > >$_COOKIE['tececo_stats'] = >"bad_data','bad_time','bad_host','bad_referrer','bad_agent')#"; > >it would allow them to insert bad data into your table... > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php