Jump to content

escaping data in PHP 4


yoda69

Recommended Posts

So, just to get this clear.

 

In php 4

If i use a form and pass information in GET or POST it is automatically escaped and I don't need to do anything else about the data.

 

if that is the case would you recommend me any other or additional procedures to protect my database from SQL injections attacks?

 

Tnx,

Link to comment
https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/
Share on other sites

The automatic esacping that you speak of is caused by magic_quotes_gpc, an ini directive. nothing to do with the version of php you are using. This used to be on by default, it is however slowly being outlawed. Pretty sure it will be gone or at least off by default in php6.

 

Anyway... to my point. You don't want to escape data again if this directive is on. So, before using mysql_real_esacpe_string, check. eg;

 

<?php

  if (!get_magic_quotes_gpc()) {
    $data = mysql_real_escape_string($_POST['data']);
  } else {
    $data = $_POST['lastname'];
  }

?>

just a little add on there thorpey!

 

if security is what you were after in teh realm of escaping then you need to do this...

<?php

  if (!get_magic_quotes_gpc()) {
    $data = mysql_real_escape_string($_POST['data']);
  } else {
    $data = mysql_real_escape_string(strip_slashes($_POST['lastname']));
  }

?>

 

a minor but very important addition...

 

for a fuller picture look at example 1428 http://uk.php.net/manual/en/function.mysql-real-escape-string.php

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.