jayR Posted July 27, 2006 Share Posted July 27, 2006 When I was taking my class in PHP 4, we were always taught to escape all user input before using it in our queries like good little coders. However, after upgrading to PHP 5 I noticed that it looks like PHP will automatically escape the user's input for you, so I guess my question is, do we still need to escape everything that we get from users, or can we trust PHP to do that for us now? Link to comment https://forums.phpfreaks.com/topic/15804-escaping-characters/ Share on other sites More sharing options...
effigy Posted July 27, 2006 Share Posted July 27, 2006 Use MySQL's real_escape_string. Link to comment https://forums.phpfreaks.com/topic/15804-escaping-characters/#findComment-64643 Share on other sites More sharing options...
jayR Posted July 27, 2006 Author Share Posted July 27, 2006 I guess the thing I don't understand is that I have inputted illegal strings into the database through my PHP (i.e. "Jay's Input") and it is automatcally escaped when I check its value in the database. I'm more wondering why it is doing it for me without me telling it to, not how I would do it manually. Link to comment https://forums.phpfreaks.com/topic/15804-escaping-characters/#findComment-64662 Share on other sites More sharing options...
wildteen88 Posted July 27, 2006 Share Posted July 27, 2006 You most probably got a setting called magic_quotes_gpc turned on which will automatically escape quotes. Link to comment https://forums.phpfreaks.com/topic/15804-escaping-characters/#findComment-64664 Share on other sites More sharing options...
fenway Posted July 27, 2006 Share Posted July 27, 2006 Personally, turn off all the magic and do it yourself -- it's more portable that way, and it won't be obfuscated and hidden away. Link to comment https://forums.phpfreaks.com/topic/15804-escaping-characters/#findComment-64688 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.