ansaurus

Question

does php latest version add slash by default??

Answer 1

+1 A:

magic_quotes_gpc is deprecated option at php 5.3

nex2hex 2010-01-23 12:02:58

so what should i do??shoud i use `mysql_real_escape_string($_POST);`or not?

diEcho 2010-01-23 12:09:03

yes, u must use it

nex2hex 2010-01-23 12:36:57

Answer 2

A:

No, from version 5.3 onwards, there will be no slashes added by default.

Sarfraz 2010-01-23 12:05:37

so i have to use `mysql_real_escape_string($_POST);`

diEcho 2010-01-23 12:12:29

yes you can use that :)

Sarfraz 2010-01-23 12:38:27

Answer 3

A:

is it necessary to use mysql_real_escape_string?

Yes. But not as a blanket encoding over $_POST or $_GET. That's applying an output-stage escaping mechanism to the input stage, which is the wrong thing and will mangle your strings in unexpected and unwanted ways.

You should keep your strings in raw form up until the moment you insert the string into another context. At that point only, you use the appropriate escaping function. With MySQL:

$query= "SELECT * FROM items WHERE title='"+mysql_real_escape_string($_POST['title'])+"'";

or with HTML:

<p>Title: <?php echo(htmlspecialchars($_POST['title'])) ?></p>

bobince 2010-01-23 14:03:03

ansaurus

tags:

views:

answers:

does php latest version add slash by default??

related questions