question about magic quotes
This is a discussion on question about magic quotes within the PHP Language forums, part of the PHP Programming Forums category; Hi all, I've been reading up on magic quotes but I'm still confused, seems like all the info ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-29-2004
|
|||
|
|||
question about magic quotes
Hi all,
I've been reading up on magic quotes but I'm still confused, seems like all the info I can find is just regurgitating the little blurb in the php manual. My question is this: if I turn both magic_quotes_gpc and magic_quotes_runtime ON in php.ini, does that mean I do not need to also use addslashes() and stripslashes() on all my GPC and MySQL data? i.e. does magic_quotes in effect take care of addslashes() and stripslashes() automatically? Thanks in advance. Marcus 
|
|
10-29-2004
|
|||
|
|||
|
Re: question about magic quotes
Marcus wrote:
> Hi all, > > I've been reading up on magic quotes but I'm still confused, seems like > all the info I can find is just regurgitating the little blurb in the > php manual. My question is this: if I turn both magic_quotes_gpc and > magic_quotes_runtime ON in php.ini, does that mean I do not need to also > use addslashes() and stripslashes() on all my GPC and MySQL data? i.e. > does magic_quotes in effect take care of addslashes() and stripslashes() > automatically? Thanks in advance. > > Marcus > Sorry for another post, but just to clarify on my previous post, is there a proper configuration with any/all of the magic_quotes values so that I can "safely" accept data and interact with my DB without using addslashes/deleteslashes everywhere? Also, when I look in my MySQL tables through the command prompt, if records with single quotes do not show up as escaped by /, am I doing something wrong? Thanks again. Marcus
|
|
11-02-2004
|
|||
|
|||
|
Re: question about magic quotes
.oO(Marcus)
>Sorry for another post, but just to clarify on my previous post, is >there a proper configuration with any/all of the magic_quotes values so >that I can "safely" accept data and interact with my DB without using >addslashes/deleteslashes everywhere? I don't care about magic quotes anymore, I do the escaping on my own. When "importing" user-submitted data I run it through something like this to have the data in raw format: function filter($data) { return get_magic_quotes_gpc() ? stripslashes($data) : $data; } Then, when necessary, I use mysql_escape_string(), htmlspeciclchars() etc. to escape/convert the data, dependent on what I wanna do with it. IMHO it's more reliable to have control over the data handling instead of relying on some "background magic", which might lead to unexpected results. >Also, when I look in my MySQL tables through the command prompt, if >records with single quotes do not show up as escaped by /, am I doing >something wrong? No, the escape chars are not stored in the database. Micha
|
Linear Mode
