Quoting tim_at_xi.co.nz:
> From my point of view, magic_quotes is a bad idea, because
> it can't possibly cover every way data can enter your
> script, and it's counterproductive when you want to do other
> things with that data.
I agree.
One more argument against magic quotes is that they provide a false sense of
security, by not helping against some common cases of SQL Injections: the ones
where you don't need to use any apostrophes or quotes.
$sql = "DELETE FROM table WHERE id=$id AND permission=7";
$id = "id #";
Now $sql has the value "DELETE FROM table WHERE id=id # AND permission=7".
Magic quotes won't help against that at all.
Another argument against magic quotes is that they are switched on in php.ini.
If you are not the system administrator of your web site (common for hobbyists
or smaller companies), you may not have control over php.ini. Even if you do,
things can get awkward with different PHP scripts on the same server that
require different settings. A really good PHP application should therefore work
equally well no matter the value of php.ini settings like register_globals and
magic_quotes_gpc.
--
Ulf Härnhammar, student, Uppsala universitet
"Jag är en tvivelaktig figur / Duger ej mycket till"
-- Cornelis Vreeswijk, "Somliga går med trasiga skor"
Uggs != Cmectbb
Received on Nov 22 2003
Intro
