Jump to content


Escaping Characters

  • Please log in to reply
4 replies to this topic

#1 jayR

  • Members
  • PipPip
  • Member
  • 26 posts

Posted 27 July 2006 - 01:48 PM

When I was taking my class in PHP 4, we were always taught to escape all user input before using it in our queries like good little coders.  However, after upgrading to PHP 5 I noticed that it looks like PHP will automatically escape the user's input for you, so I guess my question is, do we still need to escape everything that we get from users, or can we trust PHP to do that for us now?

#2 effigy

  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 27 July 2006 - 01:53 PM

Use MySQL's real_escape_string.
Regexp | Unicode Article | Letter Database

#3 jayR

  • Members
  • PipPip
  • Member
  • 26 posts

Posted 27 July 2006 - 03:01 PM

I guess the thing I don't understand is that I have inputted illegal strings into the database through my PHP (i.e. "Jay's Input") and it is automatcally escaped when I check its value in the database.  I'm more wondering why it is doing it for me without me telling it to, not how I would do it manually.

#4 wildteen88

  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 27 July 2006 - 03:07 PM

You most probably got a setting called magic_quotes_gpc turned on which will automatically escape quotes.

#5 fenway

  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 27 July 2006 - 03:45 PM

Personally, turn off all the magic and do it yourself -- it's more portable that way, and it won't be obfuscated and hidden away.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users