SQL Injection and magic_quotes_gpc... Effectiveness?

[danthehat]

I've designed a simple form and scripted some PHP without any of the recommended security measures one normally employs to prevent SQL injection attacks.  My aim in this was to experiment with SQL injection as I had never really understood it.  Much to my chagrin, all of my injections seemed to have been escaped without my knowledge!  I did some reading and found that a setting in my php.ini file escaped all of the input, magic_quotes_gpc.

 

Now, my question is this:  Just how effective is magic_quotes_gpc at preventing SQL injection attacks?  Given my limited knowledge of the field, I figured I'd ask the experts (every forum has at least two).

 

Thanks for any help you can lend.

[GingerRobot]

Personally, i hate the entire concept of magic_quotes. As far as i'm concerned, something shouldn't happen to data from the user without me doing something to it. It seems to me that magic_quotes can always leed to annoyances with slashes too.

 

I feel that that magic_quotes was an attempt to "mollycoddle" developers to make sure they were producing safe code.

 

I guess the php developers must agree with some of that, since that magic_quotes setting is being taken out of php 6. Given that, i would suggest learning to develop without magic_quotes, althuogh if you were producing something for use on other servers, you would of course need to check for the setting being on.

 

I suppose that didn't really answer your question, but thats my 2 cents(or should i say pence, being english?) on the subject.

[danthehat]

While your post did not answer my question, it does provide some helpful insight.  I've never personally encountered an issue with magic_quotes_gpc, but I can understand that perhaps it might.

 

I will try to follow your advice and develop without the magic_quotes_gpc crutch.