escaping data in PHP 4

[yoda69]

So, just to get this clear.

 

In php 4

If i use a form and pass information in GET or POST it is automatically escaped and I don't need to do anything else about the data.

 

if that is the case would you recommend me any other or additional procedures to protect my database from SQL injections attacks?

 

Tnx,

[ToonMariner]

automatcially escaped? do you mean you have coded to escape the data or are you assuming it is escaped properly?

 

mysql_real_escape_string is pretty useful when entering user defined data into a table...

[yoda69]

I've read that in php 4, when you use GET or POST the data is automatically escaped by the server

 

is it correct or not?

[Dragen]

What it means is it put slashes on everything that needs them. It doesn't make them safe.

[yoda69]

so in that case should i use

 

mysql_real_escape_string

 

for everything that enters my database?

 

[Dragen]

yep

[trq]

The automatic esacping that you speak of is caused by magic_quotes_gpc, an ini directive. nothing to do with the version of php you are using. This used to be on by default, it is however slowly being outlawed. Pretty sure it will be gone or at least off by default in php6.

 

Anyway... to my point. You don't want to escape data again if this directive is on. So, before using mysql_real_esacpe_string, check. eg;

 

<?php

  if (!get_magic_quotes_gpc()) {
    $data = mysql_real_escape_string($_POST['data']);
  } else {
    $data = $_POST['lastname'];
  }

?>

[ToonMariner]

just a little add on there thorpey!

 

if security is what you were after in teh realm of escaping then you need to do this...

<?php

  if (!get_magic_quotes_gpc()) {
    $data = mysql_real_escape_string($_POST['data']);
  } else {
    $data = mysql_real_escape_string(strip_slashes($_POST['lastname']));
  }

?>

 

a minor but very important addition...

 

for a fuller picture look at example 1428 http://uk.php.net/manual/en/function.mysql-real-escape-string.php