Women in Technology

Hear us Roar



Article:
  Ten Security Checks for PHP, Part 1
Subject:   magic quotes
Date:   2003-03-21 07:39:59
From:   anonymous2
I'm not sure what you meant by the statement magic_quotes_gpc being on will cause addslashes to give an error. We have had magic_quotes_gpc on for over a year and constantly use addslashes on user input before inserting it into an sql database. Could you clarify conditions in which magic_quotes_gpc will cause addslashes to generate an error, I have never seen one.
Main Topics Oldest First

Showing messages 1 through 1 of 1.

  • magic quotes
    2003-03-24 13:25:09  clancymalcolm [View]

    To demonstrate how combining addslashes with the magic_quotes_gpc = On, consider the following PHP script called test.php:

    <?php
    $foo = "te'st";
    echo "foo=$foo<br>";
    echo "bar=" . $_GET["bar"] . "
    ";

    $query = sprintf("UPDATE mytable SET foo='%s', bar='%s' WHERE id=1", addslashes($foo), addslashes($_GET["bar"]));
    echo "query=$query
    ";
    ?>

    If you don't use addslashes then the value of foo will cause an error, but if you do use addslashes you will get an extra \ in the value of the bar field.

    Hope this clarifies my point.

    Cheers,
    Clancy