Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

question about magic quotes

Marcus
Guest
  
Posts: n/a
#1: Jul 17 '05
Hi all,

I've been reading up on magic quotes but I'm still confused, seems like
all the info I can find is just regurgitating the little blurb in the
php manual. My question is this: if I turn both magic_quotes_gpc and
magic_quotes_runtime ON in php.ini, does that mean I do not need to also
use addslashes() and stripslashes() on all my GPC and MySQL data? i.e.
does magic_quotes in effect take care of addslashes() and stripslashes()
automatically? Thanks in advance.

Marcus

Marcus
Guest
  
Posts: n/a
#2: Jul 17 '05

re: question about magic quotes

Marcus wrote:
[color=blue]
> Hi all,
>
> I've been reading up on magic quotes but I'm still confused, seems like
> all the info I can find is just regurgitating the little blurb in the
> php manual. My question is this: if I turn both magic_quotes_gpc and
> magic_quotes_runtime ON in php.ini, does that mean I do not need to also
> use addslashes() and stripslashes() on all my GPC and MySQL data? i.e.
> does magic_quotes in effect take care of addslashes() and stripslashes()
> automatically? Thanks in advance.
>
> Marcus
>[/color]

Sorry for another post, but just to clarify on my previous post, is
there a proper configuration with any/all of the magic_quotes values so
that I can "safely" accept data and interact with my DB without using
addslashes/deleteslashes everywhere?

Also, when I look in my MySQL tables through the command prompt, if
records with single quotes do not show up as escaped by /, am I doing
something wrong? Thanks again.

Marcus
Michael Fesser
Guest
  
Posts: n/a
#3: Jul 17 '05

re: question about magic quotes

.oO(Marcus)
[color=blue]
>Sorry for another post, but just to clarify on my previous post, is
>there a proper configuration with any/all of the magic_quotes values so
>that I can "safely" accept data and interact with my DB without using
>addslashes/deleteslashes everywhere?[/color]

I don't care about magic quotes anymore, I do the escaping on my own.
When "importing" user-submitted data I run it through something like
this to have the data in raw format:

function filter($data) {
return get_magic_quotes_gpc() ? stripslashes($data) : $data;
}

Then, when necessary, I use mysql_escape_string(), htmlspeciclchars()
etc. to escape/convert the data, dependent on what I wanna do with it.
IMHO it's more reliable to have control over the data handling instead
of relying on some "background magic", which might lead to unexpected
results.
[color=blue]
>Also, when I look in my MySQL tables through the command prompt, if
>records with single quotes do not show up as escaped by /, am I doing
>something wrong?[/color]

No, the escape chars are not stored in the database.

Micha
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,510 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved