yoda69 Posted June 27, 2007 Share Posted June 27, 2007 So, just to get this clear. In php 4 If i use a form and pass information in GET or POST it is automatically escaped and I don't need to do anything else about the data. if that is the case would you recommend me any other or additional procedures to protect my database from SQL injections attacks? Tnx, Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/ Share on other sites More sharing options...
ToonMariner Posted June 27, 2007 Share Posted June 27, 2007 automatcially escaped? do you mean you have coded to escape the data or are you assuming it is escaped properly? mysql_real_escape_string is pretty useful when entering user defined data into a table... Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/#findComment-283979 Share on other sites More sharing options...
yoda69 Posted June 27, 2007 Author Share Posted June 27, 2007 I've read that in php 4, when you use GET or POST the data is automatically escaped by the server is it correct or not? Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/#findComment-283984 Share on other sites More sharing options...
Dragen Posted June 27, 2007 Share Posted June 27, 2007 What it means is it put slashes on everything that needs them. It doesn't make them safe. Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/#findComment-283986 Share on other sites More sharing options...
yoda69 Posted June 27, 2007 Author Share Posted June 27, 2007 so in that case should i use mysql_real_escape_string for everything that enters my database? Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/#findComment-283990 Share on other sites More sharing options...
Dragen Posted June 27, 2007 Share Posted June 27, 2007 yep Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/#findComment-283993 Share on other sites More sharing options...
trq Posted June 27, 2007 Share Posted June 27, 2007 The automatic esacping that you speak of is caused by magic_quotes_gpc, an ini directive. nothing to do with the version of php you are using. This used to be on by default, it is however slowly being outlawed. Pretty sure it will be gone or at least off by default in php6. Anyway... to my point. You don't want to escape data again if this directive is on. So, before using mysql_real_esacpe_string, check. eg; <?php if (!get_magic_quotes_gpc()) { $data = mysql_real_escape_string($_POST['data']); } else { $data = $_POST['lastname']; } ?> Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/#findComment-283998 Share on other sites More sharing options...
ToonMariner Posted June 28, 2007 Share Posted June 28, 2007 just a little add on there thorpey! if security is what you were after in teh realm of escaping then you need to do this... <?php if (!get_magic_quotes_gpc()) { $data = mysql_real_escape_string($_POST['data']); } else { $data = mysql_real_escape_string(strip_slashes($_POST['lastname'])); } ?> a minor but very important addition... for a fuller picture look at example 1428 http://uk.php.net/manual/en/function.mysql-real-escape-string.php Link to comment https://forums.phpfreaks.com/topic/57407-escaping-data-in-php-4/#findComment-285019 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.