deKraai Posted October 9, 2008 Share Posted October 9, 2008 hi, i got a short question i wrote a script with 1 user input using $_POST . the script uses mysql aswell. on my own host i have get_magic_quotes_gpc on but the host of te person who i wrote te script for doesnt have get_magic_quotes_gpc turned on. so to addslashes i now use a if statement to check if get_magic_quotes_gpc is on . if not i use -$_POST['var'] = addslashes ( $_POST['var'] ) - the question is. does this addslashes cut it? or is code injection still a problem? Link to comment https://forums.phpfreaks.com/topic/127740-addslashes-and-get_magic_quotes_gpc/ Share on other sites More sharing options...
PFMaBiSmAd Posted October 9, 2008 Share Posted October 9, 2008 addslashes does escape the characters that permit sql injection, but it does not escape all the special characters that can break a query (or allow a hacker to trigger errors in your code either for the purpose of exposing path/usename information or to simply shut down your site by triggering excessive errors...) Use mysql_real_escape_string() instead. Link to comment https://forums.phpfreaks.com/topic/127740-addslashes-and-get_magic_quotes_gpc/#findComment-661075 Share on other sites More sharing options...
deKraai Posted October 9, 2008 Author Share Posted October 9, 2008 but it does block php injection? could a hacker for instance break '$var = addslashes($_POST['var']);' by inserting wrong input like : ' ]); echo 'test'; // ; because i also check the input against a whitelist before i insert it in a mysql query Link to comment https://forums.phpfreaks.com/topic/127740-addslashes-and-get_magic_quotes_gpc/#findComment-661092 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.