phorcon3 Posted January 24, 2008 Share Posted January 24, 2008 a) I have a main script linked to pretty much all my sites.. and part of the code is: <?php if(get_magic_quotes_gpc() == '0') { if($_POST) { foreach($_POST as $item => $value) { if(!is_array($value)) { $_POST[$item] = trim(mysql_real_escape_string($_POST[$item])); } } } } ?> or would it have to be.. <?php if(get_magic_quotes_gpc() == '0') { if($_POST) { foreach($_POST as $item => $value) { if(!is_array($value)) { $_POST[$item] = addslashes($_POST[$item]); } } } } ?> or is there any better way to make sure all $_POSTs are somewhat secure before being inserted into the DB? I also have some other code too that strips the data before inserted (allowing some html code).. and what should I do for $_GETs? same as for $_POSTs I assume? b) Is there a huge difference between <?php include_once 'file.php'; ?> and <?php include_once('file.php'); ?> I know, both work the same ...but are there any risks involved? c) Uh, I'm gonna ask this too.. lol what works better.. <?php mysql_query("INSERT INTO `table` (`column`) VALUES ('".$insert."')"); ?> or <?php mysql_query("INSERT INTO `table` (`column`) VALUES ('$insert')"); ?> AND <?php mysql_query("INSERT INTO `table` (`time`) VALUES ('".time()."')"); ?> or <?php $time = time(); mysql_query("INSERT INTO `table` (`time`) VALUES ('$time')"); ?> Quote Link to comment Share on other sites More sharing options...
trq Posted January 24, 2008 Share Posted January 24, 2008 a: mysql_real_escape_string is the prefered method. And yes, any variables being inserted into the db should be run through it. b: The first method is more correct, but no, there are no real differences and no inherent risks. c: Personal preference really. Quote Link to comment Share on other sites More sharing options...
jaymc Posted January 24, 2008 Share Posted January 24, 2008 addslashes($_POST['name']); Or you can us ini_set to make it automatically add the quotes for all POST and GETS etc, if it isnt already set via the php conf on the server Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 24, 2008 Share Posted January 24, 2008 Magic quotes have been eliminated in php6. The magic quote setting flags that you test in your code will be present but will always test as false/off. Code that checks if magic quotes are on and strips the slashes and then adds their own using mysql_real_escape_string() will continue to work as expected. Code that is currently doing nothing and relies on magic quotes being on to escape data will result in broken queries that fail when someone includes a special character in input that is placed into a query string or it will open up your code to mysql injection if a hacker is deliberately entering special characters. Quote Link to comment Share on other sites More sharing options...
phorcon3 Posted January 24, 2008 Author Share Posted January 24, 2008 thanks for your help! i appreciate it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.