[nycphp-talk] Is there something wrong with this SQL query in PHP?

csnyder chsnyder at
Wed Aug 15 09:31:51 EDT 2007

On 8/15/07, Anthony Wlodarski <aw at> wrote:
> So I was doing some reading on magic quotes and wrote a simple check to see
> if it is on or not.  On our box magic quotes are disabled (which is the way
> I would prefer it, I would rather manually add my own slashes to sequences
> that need it) but my shared hosting has magic quotes enabled.  Now I know
> the admin of the shared hosting is not going to turn off magic quotes
> because not everyone that uses the services are diligent programmers.

See --
you can either disable it in an .htaccess file at the web root, or you
can use get_magic_quotes_gpc() to check for it and, if on, apply
stripslashes() to input values.

The standard mysql_x() functions do not allow multiple queries, so
you're not so worried about someone injecting drop table statements.
Nevertheless, plenty of damage and/or disclosure can be performed with
just a single query.

The UN website was recently compromised due to SQL injection, by the
way, very embarassing for them.

Chris Snyder

More information about the talk mailing list