Page 1 of 1

Magic quotes and data integrity 1

Posted: Fri Nov 01, 2002 7:25 am
by Heavy
When I submit a text-field from a form using POST. I (the client) might fill the field with data like:

Code: Select all

123<'k"isis123&q>
Note that there is one single quote char and one double quote char.
When this var is made available to the recieving PHP-script, it has been addslashed, see magic-quotes-gpc

I use MySQL and PHP.

Let's say I want to perform a data insertion:

Code: Select all

mysql_query("insert into table1 set Var1='{$_POSTї'Fieldname1']}', Var2='{$_POSTї'Fieldname2']}'");
Would this query do a fully valid non corrupted and database hacker secure data insertion if I use data like the string at the top of this post? :?:

MySQL recieves the data '123<''k\"isis123&q>'. Will the \" be interpreted correctly, that is, that the backslash is removed in the database data :?:

I could test this on my computer and learn by myself, but I am far from the machine right now, and I believe It might be good for all of us newbies to read the anwers to this post. :wink:

Posted: Fri Nov 01, 2002 11:39 am
by Dmitriy Plakhotnik
Try use get_html_translation_table(HTML_ENTITIES);
Example:

$trans = get_html_translation_table(HTML_ENTITIES);
$str = "123& < 'ssg".'"'."><>";
$encoded = strtr($str, $trans);


--
Sincerely,
Dmitriy S.Plakhotnik
AlarIT programmer
http://www.alarit.com