Magic quotes and data integrity 1

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Magic quotes and data integrity 1

Post by Heavy »

When I submit a text-field from a form using POST. I (the client) might fill the field with data like:

Code: Select all

123<'k"isis123&q>
Note that there is one single quote char and one double quote char.
When this var is made available to the recieving PHP-script, it has been addslashed, see magic-quotes-gpc

I use MySQL and PHP.

Let's say I want to perform a data insertion:

Code: Select all

mysql_query("insert into table1 set Var1='{$_POSTї'Fieldname1']}', Var2='{$_POSTї'Fieldname2']}'");
Would this query do a fully valid non corrupted and database hacker secure data insertion if I use data like the string at the top of this post? :?:

MySQL recieves the data '123<''k\"isis123&q>'. Will the \" be interpreted correctly, that is, that the backslash is removed in the database data :?:

I could test this on my computer and learn by myself, but I am far from the machine right now, and I believe It might be good for all of us newbies to read the anwers to this post. :wink:
Dmitriy Plakhotnik
Forum Newbie
Posts: 3
Joined: Fri Nov 01, 2002 11:39 am

Post by Dmitriy Plakhotnik »

Try use get_html_translation_table(HTML_ENTITIES);
Example:

$trans = get_html_translation_table(HTML_ENTITIES);
$str = "123& < 'ssg".'"'."><>";
$encoded = strtr($str, $trans);


--
Sincerely,
Dmitriy S.Plakhotnik
AlarIT programmer
http://www.alarit.com
Post Reply