Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Chris Cox
March 3, 2005, 7:02 am
rate this thread
Hoping someone can help, I have a sql query which is passed to the
script via the url, this is like:-
If I look at $_GET['stmt'], this gives:-
select * from tickets where ( status=''Closed'' ......
If I look at $HTTP_GET_VARS['stmt'], this gives:-
select * from tickets where ( status=\'Closed\' ......
To get the query back again I run through stripslashes(), however
obviously this will have no affect with the $_GET['stmt'] variable.
So to my question, why am I getting differing results I believed that
the two variables were always the same, why is the ' not being escaped
with a \???
I am running php 5.0.3 on apache
Would appreciate some enlightenment, as I am beginning to pull my hair
out. I only have this problem with sqlite queries, mySQL queries are
escaped correctly in $_GET['stmt'].
Thanks in advance
Re: $_GET & $HTTP_GET_VARS return different results
*** Chris Cox escribió/wrote (Thu, 03 Mar 2005 01:02:30 +0000):
So that the user can manually rewrite the URL to
Check this page: http://www.php.net/magic_quotes
If you cannot disable magic quotes for the whole server try to either
disable it for your script or detect it and unescape if necessary. Magic
quotes are evil.
Also, backup your database often, it'll get hacked pretty soon if you don't
change your design :)
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Manda tus dudas al grupo, no a mi buzón
-+ Send your questions to the group, not to my mailbox