i have a function, function make_safe($variable) { $variable = addslashes(trim($variable)); return $variable; } PHP: I'm not exactly sure what I should do at this point, because all of my data that is in my database doesn't have slashes in it, but I want to use this for all of my text boxes as far as searching and everything, so would I have to manually go through the database and add the slashes or is there another better way to accomplish this?
What database are you saving data to ? if it is mysql, then I would opt for mysql_real_escape_string instead of addslashes Brew
Hi again I've re-read your question..... Are you planning on updating the data in the database ? If so, it would be a good idea to add slashes to the data using mysql_real_escape_string() - remember though to remove them using stripslashes() when you display the data Brew
ok, i've read some more into it, and it appears that if i have magic_quotes_gpc on, it essentially does the exact same thing as add_slashes. So I wouldn't even have to worry about using it, correct?
how about using mysql_real_escape_string() like everyone else says and not just magic_quotes_gpc .... magic_quotes doesnt solve all the exploit issues like real_escape can... its not hard really <?php $someInput = $_POST['input']; //other input checks go here, is it too big? too small? wrong data type? //connect to sql would go here $result = mysql_query("Select * FROM `somedatabase` WHERE `name` = '".mysql_real_escape_string($someInput)."'"); //more stuff ?> PHP: of course consulting php.net`s best practices example on their site, is the best idea....cuse even my example isnt a best practice...