Re: [PHP] Performance of magic_quotes_gpc ??
Michael Gale wrote:
I am working on a ticket tracking system and using htmlentities and
htmlspecialchars on text that gets inserted into the database.
code I have:
--snip--
if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) 5)
{
$query .= tentry_body = ' .
htmlentities(htmlspecialchars($_POST['tentry_body'])) . ';
You've already been told all about this one :-)
} else {
$status=li class=errorERROR with entry -- appears to be empty
!/li\n;
$check=1;
}
--snip--
In the archives people suggest that using mysql_escape_string should be
used, I then found that you could globally enable magic_quotes_gpc.
What is the best method ? Does magic_quotes have a large performance
issue ??
Would it not just be safer to turn it on ??
Safer as in more secure from hackers? No. It's not safer either way,
really, imho. The security doesn't come from adding slashes -- It comes
from knowing what the data *should* look like, and validating that it
*does* look like that, as strictly as possible.
Safer as in less likely I'll screw up? This could go either way. If you
understand what MagicQuotes does, how it works, and when it's appropriate
to rely on it (or not) it's a convenient feature. If you don't understand
how Magic Quotes works, then it's not a good thing to use. :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Performance of magic_quotes_gpc ??
Hello,
I am working on a ticket tracking system and using htmlentities and
htmlspecialchars on text that gets inserted into the database.
code I have:
--snip--
if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) 5) {
$query .= tentry_body = ' .
htmlentities(htmlspecialchars($_POST['tentry_body'])) . ';
} else {
$status=li class=errorERROR with entry -- appears to be empty
!/li\n;
$check=1;
}
--snip--
In the archives people suggest that using mysql_escape_string should be
used, I then found that you could globally enable magic_quotes_gpc.
What is the best method ? Does magic_quotes have a large performance
issue ??
Would it not just be safer to turn it on ??
Thanks.
Michael.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Performance of magic_quotes_gpc ??
On Sun, 2004-12-19 at 18:31, Michael Gale wrote:
Hello,
I am working on a ticket tracking system and using htmlentities and
htmlspecialchars on text that gets inserted into the database.
code I have:
--snip--
if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) 5) {
$query .= tentry_body = ' .
htmlentities(htmlspecialchars($_POST['tentry_body'])) . ';
} else {
$status=li class=errorERROR with entry -- appears to be empty
!/li\n;
$check=1;
}
--snip--
In the archives people suggest that using mysql_escape_string should be
used, I then found that you could globally enable magic_quotes_gpc.
What is the best method ? Does magic_quotes have a large performance
issue ??
Would it not just be safer to turn it on ??
Learn to write secure code for yourself. Magic quotes are an illusion.
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Performance of magic_quotes_gpc ??
Hi, a couple of comments: --snip-- htmlentities(htmlspecialchars($_POST['tentry_body'])) . '; --snip-- Why are you using both htmlentities and htmlspecialchars? Think that html only converts some entities while htmlentities converts all ... so, for your purposes, apliying only one could do the job. In the archives people suggest that using mysql_escape_string should be used, I then found that you could globally enable magic_quotes_gpc. magic_quotes_gpc is a generic way to getting the user data escaped, but is not the recommended way. It's better to have magic_quotes_gpc disabled and use a database specific method for scaping. If you use mysql, I would recommend mysql_real_escape_string. (mysql_escape_string is deprecated since 4.3.0) Best regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Performance of magic_quotes_gpc ??
Hello, Thanks for all of the responses ... I am going to use mysql_real_escape_string. Michael. Jordi Canals wrote: Hi, a couple of comments: --snip-- htmlentities(htmlspecialchars($_POST['tentry_body'])) . '; --snip-- Why are you using both htmlentities and htmlspecialchars? Think that html only converts some entities while htmlentities converts all ... so, for your purposes, apliying only one could do the job. In the archives people suggest that using mysql_escape_string should be used, I then found that you could globally enable magic_quotes_gpc. magic_quotes_gpc is a generic way to getting the user data escaped, but is not the recommended way. It's better to have magic_quotes_gpc disabled and use a database specific method for scaping. If you use mysql, I would recommend mysql_real_escape_string. (mysql_escape_string is deprecated since 4.3.0) Best regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
