question about magic quotes

Hi all,

I've been reading up on magic quotes but I'm still confused, seems like
all the info I can find is just regurgitating the little blurb in the
php manual. My question is this: if I turn both magic_quotes_gpc and
magic_quotes_runtime ON in php.ini, does that mean I do not need to also
use addslashes() and stripslashes() on all my GPC and MySQL data? i.e.
does magic_quotes in effect take care of addslashes() and stripslashes()
automatically? Thanks in advance.

Marcus

re: question about magic quotes

Marcus wrote:
[color=blue]
> Hi all,
>
> I've been reading up on magic quotes but I'm still confused, seems like
> all the info I can find is just regurgitating the little blurb in the
> php manual. My question is this: if I turn both magic_quotes_gpc and
> magic_quotes_runtime ON in php.ini, does that mean I do not need to also
> use addslashes() and stripslashes() on all my GPC and MySQL data? i.e.
> does magic_quotes in effect take care of addslashes() and stripslashes()
> automatically? Thanks in advance.
>
> Marcus
>[/color]

Sorry for another post, but just to clarify on my previous post, is
there a proper configuration with any/all of the magic_quotes values so
that I can "safely" accept data and interact with my DB without using
addslashes/deleteslashes everywhere?

Also, when I look in my MySQL tables through the command prompt, if
records with single quotes do not show up as escaped by /, am I doing
something wrong? Thanks again.

Marcus

re: question about magic quotes

.oO(Marcus)
[color=blue]
>Sorry for another post, but just to clarify on my previous post, is
>there a proper configuration with any/all of the magic_quotes values so
>that I can "safely" accept data and interact with my DB without using
>addslashes/deleteslashes everywhere?[/color]

I don't care about magic quotes anymore, I do the escaping on my own.
When "importing" user-submitted data I run it through something like
this to have the data in raw format:

function filter($data) {
return get_magic_quotes_gpc() ? stripslashes($data) : $data;
}

Then, when necessary, I use mysql_escape_string(), htmlspeciclchars()
etc. to escape/convert the data, dependent on what I wanna do with it.
IMHO it's more reliable to have control over the data handling instead
of relying on some "background magic", which might lead to unexpected
results.
[color=blue]
>Also, when I look in my MySQL tables through the command prompt, if
>records with single quotes do not show up as escaped by /, am I doing
>something wrong?[/color]

No, the escape chars are not stored in the database.

Micha