mailing list archives
From: Ben Sytko <bsytko () yahoo com>
Date: Mon, 20 Jun 2005 16:29:56 -0400
Well, from what I've read, SQL injections are still possible with
magic_quotes_gpc being on, although I do not know how to accomplish
this. Strictly speaking security, I personally, do not know of any other
threats by relying on magic quotes, but let me tell you why you
shouldn't use them:
1. Portability - Depending on weather or not another server has them on
or off can affect the code. If there off on another server, then you SQL
queries will fail if you try to input anything that needs to be escaped.
Consequently, if you code from them begin off, and they are on, you will
get to many slashes in front of escaped characters (ex. Tom\\\\'s).
2. Performance - When they are on, PHP needs to add slashes manually to
every piece of data.
I would recommend just using the addslashes function on all data that
needs to be inputted into the database, but make sure magic_quotes_gpc
is off. You can find more information about this here:
- magic_quotes Pablo Fernández (Jun 20)
- Re: magic_quotes Ben Sytko (Jun 20)