[nycphp-talk] Is there something wrong with this SQL query in PHP?
Dan Cech
dcech at phpwerx.net
Wed Aug 15 10:27:59 EDT 2007
Anthony Wlodarski wrote:
> So I was doing some reading on magic quotes and wrote a simple check to see
> if it is on or not. On our box magic quotes are disabled (which is the way
> I would prefer it, I would rather manually add my own slashes to sequences
> that need it) but my shared hosting has magic quotes enabled. Now I know
> the admin of the shared hosting is not going to turn off magic quotes
> because not everyone that uses the services are diligent programmers.
>
> So let us say magic quotes are on and I have a string like so.
>
> $str = "You're didn't dood it.";
>
> So if that is passed to a different script in say a $_POST['str'] variable
> would then the string look like "You\'re didn\'t dood it."? Now even if
> magic quotes are enabled and I use mysql_real_escape_str($_POST['str'])
> would the string then look like "You\\\'re didn\\\'t dood it."? I am just
> trying to find a safe practice for every time I have to use a SQL query.
My recommendation is to use the following lines in the .htaccess file of
your web root:
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off
php_flag magic_quotes_sybase off
Then use the function shown in the relevant PHundamentals article
[http://www.nyphp.org/phundamentals/storingretrieving.php] at the
beginning of your core php file which will detect and correct the
settings if the .htaccess is accidentally mangled/deleted or if you run
the code on a server that doesn't honor the .htaccess (very rare).
Dan
More information about the talk
mailing list