Jump to content

Archived

This topic is now archived and is closed to further replies.

jayR

Escaping Characters

Recommended Posts

When I was taking my class in PHP 4, we were always taught to escape all user input before using it in our queries like good little coders.  However, after upgrading to PHP 5 I noticed that it looks like PHP will automatically escape the user's input for you, so I guess my question is, do we still need to escape everything that we get from users, or can we trust PHP to do that for us now?

Share this post


Link to post
Share on other sites
I guess the thing I don't understand is that I have inputted illegal strings into the database through my PHP (i.e. "Jay's Input") and it is automatcally escaped when I check its value in the database.  I'm more wondering why it is doing it for me without me telling it to, not how I would do it manually.

Share this post


Link to post
Share on other sites
You most probably got a setting called magic_quotes_gpc turned on which will automatically escape quotes.

Share this post


Link to post
Share on other sites
Personally, turn off all the magic and do it yourself -- it's more portable that way, and it won't be obfuscated and hidden away.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.