Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a form with a submit button like this:

<p class="loginsubmit"><input class="submit"  type="submit"
value="Login" name="doLogin"></p>

In phpinfo() I see:
magic_quotes_gpc    On    On
magic_quotes_runtime    Off    Off
magic_quotes_sybase    Off    Off

I have apache2, and php5. When the form is posted is it safe to use
if(isset($doLogin) && $doLogin="Login") {

or I need first to say: $doLogin=addslashed($_POST['doLogin']);

thanks a lot.

Re: magic_quotes

On Jun 10, 12:54 pm, Harris Kosmidhs
Quoted text here. Click to load it


Firstly, magic_quotes are depercated. If you're code is going tobe
runing anywhere that might have them set, then you should test if they
are set, and if so **stripslashes**.

Instead of addslashes you should use the appropriate encoding function
for the use to which you are applying the data **at the point where
you are applying the data** e.g. mysql_real_escape_string(),
htmlentites(), urlencode etc.


Re: magic_quotes

.oO(Harris Kosmidhs)

Quoted text here. Click to load it

Doesn't matter. Magic quotes are a completely broken feature and will be
removed from PHP 6. You shouldn't use them anymore, unless you want to
rewrite all your code again in a few years.

Quoted text here. Click to load it

Almost as useless as magic quotes. You won't need it. It won't prevent
SQL injection for example.

Quoted text here. Click to load it

That's not going to work.

Quoted text here. Click to load it

PDO is perfectly OK and injection-safe if used properly with prepared
statements, but if you also use addslashes(), you'll corrupt your data.

Quoted text here. Click to load it

The correct way is to either completely disable magic qotes and never
touch them again, or, if you can't disable them, check at runtime and
call stripslashes() if necessary to get the raw data. Then use the
appropriate encoding functions when you actually work with the data.


Site Timeline