Hello, If the magic_quotes_gpc parameter of the php server is set to ON, is there still danger of SQL injection ? If yes, could you detail or provide some examples? Thanks. ____________________________ http://photo4u.awardspace.com
Yes, magic quotes only protects against some scenarios such as: mysql_query("SELECT * FROM table WHERE field = '{$_GET['field']}'"); When numeric data, variable table names, variable query order, asc/desc, etc. you have to deal with it yourself.
thanks for your answers. I looked at the php.net and found multiple alternatives for escaping strings. mysq_real_escape_string(), addcslashes(), magic_quotes_gpc and many others. Somewhere, it is written that if magic quote is on, I must unstrip the string and after have it passed on mysq_real_escape_string(). Why ? Is there somewhere a ressource explaining the difference. I am looking in the optics of sql injection avoidance.
Just make sure that when you are throwing any kind of data into a database you filter it. Then occasionally, depending on which function you are using, you may have to convert it back so the string displays correctly on the screen.