The only data returned by a browser in a "Cookie" header is the 
name/value pairs. So, your example would not pose a threat of any sort. 
The "Referer" and "User-Agent" are separate headers, but like all data 
from the client, they should also not be trusted.

If you have magic quotes enabled, you're probably safe. It is actually 
best not to just addslashes() again "to be sure" for any data. Rather, 
echo the value of your data to the screen during development, and test 
to be sure that your single quotes are escaped like you think they 
should be.


1LT John W. Holmes wrote:

>Yeah, magic_quotes will be enough, but it only handles GET, POST, and COOKIE
>data. I'm not sure what SERVER variables can be trusted, so it wouldn't hurt
>to addslash them...
>There isn't much of a risk to your query, but someone could still mess
>things up. If they formatted a cookie like
>$_COOKIE['tececo_stats'] =
>it would allow them to insert bad data into your table...

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to