On Wednesday, July 3, 2002, at 10:21 AM, Jean-Christian Imbeault wrote:
> Security question: Is turning off magic_quotes and using
> strip/addslashes() a 100% effective solution against malicious user
> input?
No.
Think about what {add|strip}slashes() does. It simply adds slashes to
strings, and strips them from strings, depending on certain rules (like
the location of apostrophes or other special characters in those
strings).
There are far more ways for malicious users to insert their own input
than I even know of, let alone know how to handle.
Consider using add/strip a requirement, not a security precaution.
Erik
----
Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
