Anthony Wlodarski wrote:
> So I was doing some reading on magic quotes and wrote a simple check to see
> if it is on or not. On our box magic quotes are disabled (which is the way
> I would prefer it, I would rather manually add my own slashes to sequences
> that need it) but my shared hosting has magic quotes enabled. Now I know
> the admin of the shared hosting is not going to turn off magic quotes
> because not everyone that uses the services are diligent programmers.
>
> So let us say magic quotes are on and I have a string like so.
>
> $str = "You're didn't dood it.";
>
> So if that is passed to a different script in say a $_POST['str'] variable
> would then the string look like "You\'re didn\'t dood it."? Now even if
> magic quotes are enabled and I use mysql_real_escape_str($_POST['str'])
> would the string then look like "You\\\'re didn\\\'t dood it."? I am just
> trying to find a safe practice for every time I have to use a SQL query.
My recommendation is to use the following lines in the .htaccess file of
your web root:
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off
php_flag magic_quotes_sybase off
Then use the function shown in the relevant PHundamentals article
[http://www.nyphp.org/phundamentals/storingretrieving.php] at the
beginning of your core php file which will detect and correct the
settings if the .htaccess is accidentally mangled/deleted or if you run
the code on a server that doesn't honor the .htaccess (very rare).
Dan
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
