Hear us Roar
Article:
 |
|
Ten Security Checks for PHP, Part 1
|
| Subject: |
|
magic quotes |
| Date: |
|
2003-03-24 13:25:09 |
| From: |
|
clancymalcolm
|
Response to: magic quotes
|
|
To demonstrate how combining addslashes with the magic_quotes_gpc = On, consider the following PHP script called test.php:
<?php
$foo = "te'st";
echo "foo=$foo<br>";
echo "bar=" . $_GET["bar"] . "
";
$query = sprintf("UPDATE mytable SET foo='%s', bar='%s' WHERE id=1", addslashes($foo), addslashes($_GET["bar"]));
echo "query=$query
";
?>
If you don't use addslashes then the value of foo will cause an error, but if you do use addslashes you will get an extra \ in the value of the bar field.
Hope this clarifies my point.
Cheers,
Clancy
|
|
| |
