Anthony Wlodarski wrote:
So if that is passed to a different script in say a $_POST[‘str’]
variable would then the string look like “You\’re didn\’t dood it.”?
Now even if magic quotes are enabled and I use
mysql_real_escape_str($_POST[‘str’]) would the string then look like
“You\\\’re didn\\\’t dood it.”? I am just trying to find a safe
practice for every time I have to use a SQL query.
Why not just remove the slashes from any posted variables if it's on.
IE if you know you have a list of variables, than do the following:
|
||if (get_magic_quotes_gpc())
{
//if magic quotes is off, get rid of them!
||$str = ||stripslashes($str);
|| $str2 = ||stripslashes($str2);
|| $str3 = ||stripslashes($str3);|
|||}
||Than your assured that all your variables are magic quoteless.
You could also do the following, since these are variables, at the very top:
||
||if (get_magic_quotes_gpc())
{
//if magic quotes is off, get rid of them!
|| foreach($_GET as $key => $value)
{
|| ||$_GET[$key] = ||stripslashes($_GET[$value]);|||
||| ||$_POST[$key] = ||stripslashes($_POST[$value]);|||
| }
| |||}
Unfortunately, you can't do the same thing for $_REQUEST since it
contains cookies as well, you would have to do some extra checking there.
Also, you can minimize the following by using an htaccess file, place:
||php_value magic_quotes_gpc 0
php_value magic_quotes_runtime 0
php_value magic_quotes_sybase 0|
|
in any the htaccess file and it will disable magic quotes(if the
provider's server allows it)
http://drupal.org/node/4395
|||
|
|
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
