2012/5/2 Federico Ulfo <rainelemen...@gmail.com>: > The article you mentioned is from April 2004, so I could not rely on that. > > Starting from PHP 5.4 magic_quotes_gpc has been removed > http://php.net/releases/5_4_0.php > > Also since PHP 5, the best way to go is to use PDO prepared statements, > which avoid any double escaping and allows you to connect to different > database, so you don't really need anymore Adodb.
Hi Federico and thanks for your reply. I know that magic_quotes_gpc has been removed but I bet that most of the PHP installations use PHP < 5.4. As far as PDO is concerned, yes, I'm using PDO as well. > If your database has escaped contents, you can either run a REPLACE query > (to solve definitely the problem on the database) or as you well said use > stripslashes, or a custom function, it depends what you escaped! No the database has not any escaped contents, the problem is an application, which, instead of escaping just the content that needed to be used in a query it: - escaped everything from GPC, using addslashes - unescaped content coming from GPC when the content itself needs to be just displayed, using stripslashes It worked pretty good but I then switched from addslashes to db specific functions (namely adodb qstr and PDO quote), the problem is that stripslashes of course doesn't work anymore and I don't find a general approach for unescaping (I read the comment on http://php.net/manual/en/function.mysql-real-escape-string.php but it seems more a hack than a general solution). Now, I'm wondering if the DB specific escape functions really give additional values respect to addslashes. This is what you can read on the PHP Web site but if you read here: http://dev.mysql.com/doc/refman/5.5/en/mysql-real-escape-string.html "Characters encoded are “\”, “'”, “"”, NUL (ASCII 0), “\n”, “\r”, and Control+Z. Strictly speaking, MySQL requires only that backslash and the quote character used to quote the string in the query be escaped. mysql_real_escape_string() quotes the other characters to make them easier to read in log files." it seems that, if we are talking about queris execution, just \ and ' needs to be escaped. What do you think about? ------------------ Eugenio Tacchini dadabik.org DaDaBIK database front-end _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show-participation
