I have been using php 5 and use the following code for escaping input data :
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
$cust_id = clean($_POST['cust_id']); //function call
magic_quotes_gpc/magic_quotes_runtime have been removed as of php 6.0.0. why so???what other coding techniques do u guys use??
thanks!!
Magic quotes
Moderator: General Moderators
Re: Magic quotes
The function is wrong, it will damage data containing slashes when if comes from sources other than get/post/cookie
http://www.logris.org/security/the-curs ... gic-quotes
Also, you don't escape input data. You escape data before it is given to some functions, and every such function requires it's own escaping. What you posted is relevant only to mysql_query().
http://www.logris.org/security/the-curs ... gic-quotes
Also, you don't escape input data. You escape data before it is given to some functions, and every such function requires it's own escaping. What you posted is relevant only to mysql_query().
Re: Magic quotes
hmmm.....thanks!!!
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Magic quotes
If you pass something to a database, escape it. In your case the data may be used elsewhere, too.
You are forgetting magic_quotes_runtime. This may also mess up your code.
These were (will be) removed as of PHP 6, because they cause more problems than they solve.
You are forgetting magic_quotes_runtime. This may also mess up your code.
These were (will be) removed as of PHP 6, because they cause more problems than they solve.