[nycphp-talk] Is there something wrong with this SQL query in PHP?

bz-gmort at bz-gmort at
Wed Aug 15 09:56:22 EDT 2007

Anthony Wlodarski wrote:
> So if that is passed to a different script in say a $_POST[‘str’] 
> variable would then the string look like “You\’re didn\’t dood it.”? 
> Now even if magic quotes are enabled and I use 
> mysql_real_escape_str($_POST[‘str’]) would the string then look like 
> “You\\\’re didn\\\’t dood it.”? I am just trying to find a safe 
> practice for every time I have to use a SQL query.
Why not just remove the slashes from any posted variables if it's on.
IE if you know you have a list of variables, than do the following:
||if (get_magic_quotes_gpc())
//if magic quotes is off, get rid of them!
||$str = ||stripslashes($str);
|| $str2 = ||stripslashes($str2);
|| $str3 = ||stripslashes($str3);|

||Than your assured that all your variables are magic quoteless.

You could also do the following, since these are variables, at the very top:
||if (get_magic_quotes_gpc())
//if magic quotes is off, get rid of them!
|| foreach($_GET as $key => $value)
|| ||$_GET[$key] = ||stripslashes($_GET[$value]);|||
||| ||$_POST[$key] = ||stripslashes($_POST[$value]);|||
| }
| |||}

Unfortunately, you can't do the same thing for $_REQUEST since it
contains cookies as well, you would have to do some extra checking there.

Also, you can minimize the following by using an htaccess file, place:
||php_value magic_quotes_gpc 0
php_value magic_quotes_runtime 0
php_value magic_quotes_sybase 0|
in any the htaccess file and it will disable magic quotes(if the
provider's server allows it)

More information about the talk mailing list