At 09:48 AM 5/31/2001 -0700, kj wrote: > > PHP used to have an option to automatically use addslashes() on any > variable > > passed to it via POST or GET. Please see your PHP.INI file and set the > > appropriate setting for "magic_quotes_gpc" > > >Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL >statements to dbs I think you need to initialize magic_quotes_runtime >for the addslashes() default. The problem with magic_quotes_gpc is that it is a global variable in PHP. Many sysadmins turn it off because they may be using a program that requires them not to be escaped. At least I understand this from a talk on advanced PHP techniques someone gave at ApacheCon a few months ago. Unfortunately, I don't think magic_quotes_runtime is on by default if it does what you say. The manual says it affects DB routines that return data which implies it affects data returned, it doesn't mention anything about the DB routines that only accept input parameters and never return anything. Maybe someone with more PHP experience and a handy PHP engine could verify this. Many of the books that I have seen on PHP *assume* when they teach programmers that magic_quotes_gpc is ON in their security model because this is how PHP is set up by default. Unfortunately, this is not the truth and I can only imagine that there must be many PHP scripts out there that also follow this assumption -- because the people who write the code are probably reading these books and learning to code that way. >K.J. __________________________________________________ Gunther Birznieks (gunther.birznieksat_private) eXtropia - The Open Web Technology Company http://www.eXtropia.com/
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 13:07:16 PDT