Not only that, but for new people, magic_quote_gpc = On
For those not familiar with php, this will escape single quotes in GET/POST/COOKIE data. Helps protect the unfamiliar from things like SQL injection attacks. Once you know what you are doing they can be a bit of a pain in the ass, but for new people, it can help make your code a bit safer.
It will prevent those kinds of attacks at the expense of not teaching you how to write around them. It's really very easy to avoid sql injection attacks. magic_quote_gpc also has this "magic" thing, and you don't always want your data escaped. Sometimes, you do happen to do things other than database work with form data.
I disagree. Your suggestion is the way the US education system tends to work - teach kids the easy way first, then teach them the right way later (and explain why the easy way is wrong).
The magic quotes feature escapes data for use in a query. There are lots of things you can be doing with data, and storing it is just one.
Also, the escaping that magic quotes does is equivalent to the addslashes function. This is a good last resort, but better options exist for many databases - for example, mysql_escape_st
Switch the damn thing off. It\'s a bloody annoying hack which may (or may not be) switched on for a particular web host, meaning that for security reasons your code has to check whether it's switched on or off, and massage data accordingly.:-)
I\'ve got two functions which automatically strip incoming data of any added escaping, because with my form validation stuff the text may either go into an SQL query or back into the form again, with missing fields highlighted. Text might have come out of the database sans escaping, for editing purposes, and I don't want to have to write my forms code to treat data differently depending on its source. If everything\'s plain, unescaped text, it makes things so much simpler...
A couple of simple rules - firstly, when creating a database query, always (integer )$record_id or '".mysql_escape_string( $input_string )."' all variables in your queries, having previously checked them for sanity.
Secondly, keep as much code as possible in defined functions, out of the scope of register_globals idiocy. Yes, it can be switched off, but always assume that it's switched on, and is your enemy. Plus, it's a lot easier to track incoming data in your code when it's all defined at the beginning...
register_globals = off (Score:5, Informative)
Re:register_globals = off (Score:2, Informative)
magic_quote_gpc = On
For those not familiar with php, this will escape single quotes in GET/POST/COOKIE data. Helps protect the unfamiliar from things like SQL injection attacks. Once you know what you are doing they can be a bit of a pain in the ass, but for new people, it can help make your code a bit safer.
Ack! (Score:2, Informative)
magic_quotes_gpc = On
That's quotes, plural. Sorry for any confusion.
Re:register_globals = off (Score:3, Insightful)
Just Say No (Score:2)
I disagree. Your suggestion is the way the US education system tends to work - teach kids the easy way first, then teach them the right way later (and explain why the easy way is wrong).
The magic quotes feature escapes data for use in a query. There are lots of things you can be doing with data, and storing it is just one.
Also, the escaping that magic quotes does is equivalent to the addslashes function. This is a good last resort, but better options exist for many databases - for example, mysql_escape_st
Re:register_globals = off (Score:5, Funny)
Switch the damn thing off. It\'s a bloody annoying hack which may (or may not be) switched on for a particular web host, meaning that for security reasons your code has to check whether it's switched on or off, and massage data accordingly.
I\'ve got two functions which automatically strip incoming data of any added escaping, because with my form validation stuff the text may either go into an SQL query or back into the form again, with missing fields highlighted. Text might have come out of the database sans escaping, for editing purposes, and I don't want to have to write my forms code to treat data differently depending on its source. If everything\'s plain, unescaped text, it makes things so much simpler...
A couple of simple rules - firstly, when creating a database query, always (integer )$record_id or '".mysql_escape_string( $input_string )."' all variables in your queries, having previously checked them for sanity.
Secondly, keep as much code as possible in defined functions, out of the scope of register_globals idiocy. Yes, it can be switched off, but always assume that it's switched on, and is your enemy. Plus, it's a lot easier to track incoming data in your code when it's all defined at the beginning...
page_record_input( ACTION_EDIT, array_unescape( $_POST['input_record'] ), (integer )$_GET['record_id'] );
And lastly, always assume that your users are out to get you. Validate all data, and assume everything and everyone is hostile.
Re:register_globals = off (Score:1)
Apart from that validate thing, you'd make a good POTUS.
Re:register_globals = off (Score:2)