Jump to content


Photo

Do I need to use mysql_real_escape_string if magic quote is on?


  • Please log in to reply
1 reply to this topic

#1 extrovertive

extrovertive
  • Members
  • PipPipPip
  • Advanced Member
  • 235 posts

Posted 30 August 2006 - 07:31 AM

Since get_magic_quotes_gpc is enabled, all incoming client-side data will have slashes. So, do I eve need to use mysql_real_escape_string on my incoming form data?

#2 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 30 August 2006 - 07:41 AM

mysql_real_escape_string has a better effect than magic_quotes. I suggest you to use the function I added below to remove the effect of the magic_quotes and escape the string using mysql_real_escape_string.

<?php

function sql_quote($value) 
{ 
 if(get_magic_quotes_gpc())
 	{$value = stripslashes($value);} 

 if(function_exists("mysql_real_escape_string"))
 	{$value = mysql_real_escape_string($value);} 
 else
 	{$value = addslashes($value);} 

 return $value;
}

?>

Orio.
Think you're smarty?

(Gone until 20 to November)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users