dsaba Posted June 12, 2007 Share Posted June 12, 2007 I am aware of checking for magic quotes settings, whether they are on off, or whatever you want to call it, whether it escapes all POST variables or whether it doesn't in simple terms well in my php settings, it DOES INDEED ESCAPE POSTED DATA so knowing that, will not mysql_real_escape() -ing be as safe as using mysql_real_escape() on posted data that is not already escaped?? or does mysql_real_escape do anything more significant other than escaping slashes that I need to do to the already escaped POSTED data?? (make sense?) -thanks for reading Quote Link to comment https://forums.phpfreaks.com/topic/55207-magic-quotes-post-and-mysql_escape_string-a-tale-of-3-functions/ Share on other sites More sharing options...
mmarif4u Posted June 12, 2007 Share Posted June 12, 2007 mysql_real_escape_string is more good than other slashes techniques. I prefer this for post data. Quote Link to comment https://forums.phpfreaks.com/topic/55207-magic-quotes-post-and-mysql_escape_string-a-tale-of-3-functions/#findComment-272912 Share on other sites More sharing options...
dsaba Posted June 12, 2007 Author Share Posted June 12, 2007 let me re-phrase my question my posted data is coming back already escaped for example: $originalString = 'Hello why aren't you there?'; $_POST['originalstring'] = 'Hello why aren\'t you there?'; mysql_escape_string($_POST['originalstring']) = 'Hello why aren\\'t you there?'; so I see the problem, of why there are two \\ slashes in the last statement, because it is being escaped twice, so a little thought appeared in my head, i thought maybe i should not use mysql_escape_string function on the posted data, and walla! now it is only being escaped once.... I'm asking your advice here on phpfreaks whether this is a safe practice, and IF the escaped POST data is just as safe as data that has been escaped by mysql_escape_string you say mysql_escape_string does more than simply addslashes() does, if so then tell me what is this extra stuff that it does?? Quote Link to comment https://forums.phpfreaks.com/topic/55207-magic-quotes-post-and-mysql_escape_string-a-tale-of-3-functions/#findComment-272916 Share on other sites More sharing options...
cx323 Posted June 12, 2007 Share Posted June 12, 2007 you can use get_magic_quotes_gpc to find out if magic quotes, what is escaping your data, is on or not. something like this should work if(@get_magic_quotes_gpc()){ if(@ini_get('magic_quotes_sybase')) { $value = str_replace('\'\'', '\'', $value); }else{ $value = stripslashes($value); } } $value = mysql_real_escape_string($value); Quote Link to comment https://forums.phpfreaks.com/topic/55207-magic-quotes-post-and-mysql_escape_string-a-tale-of-3-functions/#findComment-272918 Share on other sites More sharing options...
mmarif4u Posted June 12, 2007 Share Posted June 12, 2007 Escaping particular data in a post have different situations. Like entering data to mysql, cleaning data by php. Slashes are pure php lib and mysql_real_escape_string is mysql which is made for preventing mysql db fom injections. For more details please try the link below. http://www.sitepoint.com/forums/showthread.php?t=337881 Hope this will help. Quote Link to comment https://forums.phpfreaks.com/topic/55207-magic-quotes-post-and-mysql_escape_string-a-tale-of-3-functions/#findComment-272920 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.