mailing list archives
From: Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>
Date: Wed, 22 Jun 2005 12:33:13 +0200
Pablo Fernández wrote:
Again, the question I asked is in the scenario where magic_quotes *IS
Through casting the GET/POST to object, PHP will warn/error you, if
there is something rotten in the $(G|P)DATA-string when it's evaluated
at mysql_query() - if PHP is not bogus - something you really can't rely
on (Bugs are everywhere!).
But if you only rely on magic_quotes_runtime (MQR), your application
will be easily affected, if the MQR-mechanism is not as good as you
thought. So use additionally mysql_real_escape_string and Stored
Procedures. Second and third defense line are always good.
Ah, and ... use $_REQUEST so you don't have to check where the data came
from. And don't forget a acceptable error handling (and logging).