On 29 Apr 2004 07:38:49 -0700,
ja*******@hotmail.com (Joe Randstein) wrote:
I now use the DB classes from PEAR with mysql. Do I still have to use
addslashes?
I ask, because I get some very strange results, I get slashes in front
of every " and they get saved in my database :-(
Now my hoster has turned magic_quotes_gpc on anyway. As a workaround:
On a PHP-environment where magic_quotes_gpc is turned on, can I do
stripslashes on every request-data without danger?
Or what is the recommended way to safely insert request-data into
mysql with PEAR?
Using PEAR's placeholder emulation, without adding slashes. Prepare a
statement using ? for the placeholders and bind the data you want saved without
any modification.
Do not embed values in the SQL statement.
INSERT INTO t (c) values (?) -- correct
INSERT INTO t (c) values ('?') -- wrong, most of the time
INSERT INTO t (c) values ('$val') -- very wrong
http://pear.php.net/manual/en/packag...ro-execute.php
--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk /
http://www.andyhsoftware.co.uk/space