Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
onion2k
Jedi Mod
Posts: 5263 Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com
Post
by onion2k » Wed Jan 12, 2005 3:30 am
Simple question really: Do you rely on magic quotes to stop SQL injection, or do you code everything with addslashes?
AGISB
Forum Contributor
Posts: 422 Joined: Fri Jul 09, 2004 1:23 am
Post
by AGISB » Wed Jan 12, 2005 4:40 am
If you code for yourself it doesn't really matter in my opinion.
However if you code for clients where you cannot control php.ini 'Magic Quotes' has unpredictable risks as you never know if it is turned on or not.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Jan 12, 2005 8:58 am
I code for both events using get_magic_quotes_gpc() or the other one (it's been a while) to tell if I need to strip the incoming data and re-add anything if it's hitting the database.
McGruff
DevNet Master
Posts: 2893 Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland
Post
by McGruff » Tue Jan 18, 2005 4:45 am
malcolmboston
DevNet Resident
Posts: 1826 Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK
Post
by malcolmboston » Tue Jan 18, 2005 10:52 am
*nods at McGruff*
kgourad
Forum Newbie
Posts: 4 Joined: Wed Jan 19, 2005 11:49 pm
Post
by kgourad » Wed Jan 19, 2005 11:57 pm
I prefer the slash method since I like to have localized control on the code.
khalid Gourad
===Code Free or Die ===========