Magic Quotes versus Addslashes

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Magic Quotes versus Addslashes

Post by onion2k »

Simple question really: Do you rely on magic quotes to stop SQL injection, or do you code everything with addslashes?
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

If you code for yourself it doesn't really matter in my opinion.

However if you code for clients where you cannot control php.ini 'Magic Quotes' has unpredictable risks as you never know if it is turned on or not.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I code for both events using get_magic_quotes_gpc() or the other one (it's been a while) to tell if I need to strip the incoming data and re-add anything if it's hitting the database.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

*nods at McGruff*
kgourad
Forum Newbie
Posts: 4
Joined: Wed Jan 19, 2005 11:49 pm

Magic quotes are not the best way to go

Post by kgourad »

I prefer the slash method since I like to have localized control on the code.


khalid Gourad

===Code Free or Die ===========
Post Reply