NYCPHP Meetup

[nycphp-talk] Is there something wrong with this SQL query in PHP?

Dan Cech dcech at phpwerx.net
Wed Aug 15 10:27:59 EDT 2007


Anthony Wlodarski wrote:
> So I was doing some reading on magic quotes and wrote a simple check to see
> if it is on or not.  On our box magic quotes are disabled (which is the way
> I would prefer it, I would rather manually add my own slashes to sequences
> that need it) but my shared hosting has magic quotes enabled.  Now I know
> the admin of the shared hosting is not going to turn off magic quotes
> because not everyone that uses the services are diligent programmers.
> 
> So let us say magic quotes are on and I have a string like so.
> 
> $str = "You're didn't dood it.";
> 
> So if that is passed to a different script in say a $_POST['str']  variable
> would then the string look like "You\'re didn\'t dood it."?  Now even if
> magic quotes are enabled and I use mysql_real_escape_str($_POST['str'])
> would the string then look like "You\\\'re didn\\\'t dood it."?  I am just
> trying to find a safe practice for every time I have to use a SQL query.

My recommendation is to use the following lines in the .htaccess file of
your web root:

	php_flag magic_quotes_gpc off
	php_flag magic_quotes_runtime off
	php_flag magic_quotes_sybase off

Then use the function shown in the relevant PHundamentals article
[http://www.nyphp.org/phundamentals/storingretrieving.php] at the
beginning of your core php file which will detect and correct the
settings if the .htaccess is accidentally mangled/deleted or if you run
the code on a server that doesn't honor the .htaccess (very rare).

Dan



More information about the talk mailing list