MySQL4 to MySQL5 upgrade issue

[yacaph]

Background: Our webserver is running MySql 4.2, My development system is using MySQL 5.2. I'm programming in PHP 5 on both.

 

On the webserver MySQL 4.2 seems to ignore single [ ' ] and double [ " ] quotes without adding the addslashes($var) directive while "addslashes()" is necessary on MySQL 5.2 on my development machine.

 

We are considering upgrading the webserver from MySQL 4 to MySQL 5 and need to know if the described behavior is inherent to these versions, or is established via some configuration file.

 

Any feedback will be greatly appreciated.

 

[corbin]

Uh, magic quotes must be on on one of the machines.

 

 

 

MySQL will never "ignore" quotes.  That would be incorrect syntax.

 

 

For example:  SELECT * FROM table WHERE name = 'O'Reilly';

 

Will NEVER work.

[yacaph]

Thanks for the feedback.

 

I've checked the php.ini on the server which PHPInfo reports as being /etc/php.ini, but magic_quotes are not enabled, yet in the PHPInfo Configuration Command magic_quotes appear to be enabled.

 

[./configure' '--build=i386-redhat-linux' '--host=i386-redhat-linux' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-png' '--with-pspell' '--with-expat-dir=/usr' '--with-pcre-regex=/usr' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-track-vars' '--enable-trans-sid' '--enable-yp' '--enable-wddx' '--with-pear=/usr/share/pear' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-unixODBC=shared,/usr' '--enable-memory-limit' '--enable-shmop' '--enable-calendar' '--enable-dbx' '--enable-dio' '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite' '--with-libxml-dir=/usr' '--with-xml' '--with-apxs2=/usr/sbin/apxs' '--without-mysql' '--without-gd' '--without-odbc' '--disable-dom' '--disable-dba']

 

Can someone tell me where this is being generates from?

 

Also, on the PHP Manual Magic Quotes page there is the following warning: "This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.", so I assume that the wise thing to do would be to disable "magic quotes" on the upgrade to MySQL 5 and use "addslashes()" in the code.

 

Again, All thoughs & comments will be appreciated.

 

Thanks

[PFMaBiSmAd]

Use mysql_real_escape_string()

 

addslashes(), like the magic_quotes settings, which is why they are being removed, does not escape all the special characters that can break a query.

[corbin]

"so I assume that the wise thing to do would be to disable "magic quotes" on the upgrade to MySQL 5 and use "addslashes()" in the code."

 

 

The wise thing to do would be to never use magic quotes, and  always use mysql_real_escape_string().

[fenway]

Or write a quick three-liner to do it regardless -- check if magic quotes are on, and then addslahes accordingly.