Gerard Samuel wrote:
I have a class method that does one thing and one thing only.
Escape characters before going to the DB.
Part of it is ->
if (!get_magic_quotes_gpc())
{
$string = pg_escape_string( $string );
}
return "'" . $string . "'";
In everyday get/post operation it seems to work flawlessly.
I've come across a situation where Im parsing an XML file to insert into
the DB.
The content needed to be escaped, so I modified the above to ->
if (!get_magic_quotes_gpc() || !get_magic_quotes_runtime())
{
$string = pg_escape_string( $string );
}
return "'" . $string . "'";
And the XML data is escaped correctly for DB insertion.
Now going back to my everyday get/post operation, the code is broken
somehow, as content,
that is not normally escaped is escaped, and breaking stuff, like
serialized data in the DB.
Is the above code valid for escaping characters in get/post/cookie and
external data operation?
Not really. You check if either one is false, and then you escape. But
you don't know where the data come from. The data might be from POST and
are already escaped by magic quotes, but magic_quotes_runtime is off, so
it's escaped once more.
So you need to make two class methods, one for escaping gpc variables,
another one for escaping runtime variables. Then you only need to check
get_magic_quotes_gpc() or get_magic_quotes_runtime() respectively.
Can they be safetly used together as in my example above. (Where if one
condition doesn't meet, and the other does, escape characters).
Or there may be something else in my code that is messing things up.
Any pointers/experience would be greatly appreciated.
Thanks
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
