jayR Posted July 27, 2006 Share Posted July 27, 2006 When I was taking my class in PHP 4, we were always taught to escape all user input before using it in our queries like good little coders. However, after upgrading to PHP 5 I noticed that it looks like PHP will automatically escape the user's input for you, so I guess my question is, do we still need to escape everything that we get from users, or can we trust PHP to do that for us now? Quote Link to comment Share on other sites More sharing options...
effigy Posted July 27, 2006 Share Posted July 27, 2006 Use MySQL's real_escape_string. Quote Link to comment Share on other sites More sharing options...
jayR Posted July 27, 2006 Author Share Posted July 27, 2006 I guess the thing I don't understand is that I have inputted illegal strings into the database through my PHP (i.e. "Jay's Input") and it is automatcally escaped when I check its value in the database. I'm more wondering why it is doing it for me without me telling it to, not how I would do it manually. Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted July 27, 2006 Share Posted July 27, 2006 You most probably got a setting called magic_quotes_gpc turned on which will automatically escape quotes. Quote Link to comment Share on other sites More sharing options...
fenway Posted July 27, 2006 Share Posted July 27, 2006 Personally, turn off all the magic and do it yourself -- it's more portable that way, and it won't be obfuscated and hidden away. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.