The current php.ini-recommended in CVS for 5.2 has this at line 95...
; - magic_quotes_gpc = Off [Performance]
; Input data is no longer escaped with slashes so that it can be
sent into
; SQL databases without further manipulation. Instead, you should
use the
; function addslashes() on each input element you wish to send to a
database.
As far as I was aware addslashes is inadequate for this purpose. Should
this not point people to use database-specific escaping functions rather
than addslashes?
-Stut
As far as I was aware addslashes is inadequate for this purpose. Should
this not point people to use database-specific escaping functions rather
than addslashes?
Yes, even better use placeholders (if the DB API supports it).
--
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h