PHP Escaping Data?

Forum Moderators: coopster

Message Too Old, No Replies

PHP Escaping Data?

Is it automatic?

ahmedtheking

4:29 pm on Apr 9, 2007 (gmt 0)

Does PHP automatically escape POST data? Or data entering into the MYSQL database? I've got PHP 5.2.1 and I'm just trying to figure whether I need mysql_escape_string() or not!

camilord

4:32 pm on Apr 9, 2007 (gmt 0)

i believe use mysql_real_escape_string() function always to secure your query...

henry0

5:33 pm on Apr 9, 2007 (gmt 0)

We often disregard if get_magic_quotes_gpc() is on or off in our php.ini

if on use
stripslahes()
else
if not a number or a num str
use mysql_real_escape_string($foo)

if an array or an object
use
$foo =' " '.mysql_escape_string(serialize($var)).' " .;

Check both functions on the manual; there are a buch of examples and functions that are quite useful

whoisgregg

7:18 pm on Apr 9, 2007 (gmt 0)

As one of the main topics covered in the security section of the PHP manual, reading about magic_quotes [us3.php.net] is worth every developers time.

You'll most likely choose to disable magic quotes altogether [php.net] at which point you'll use the appropriate escaping function for your database environment. For mysql, that means using mysql_real_escape_string() [php.net].

ahmedtheking

9:16 pm on Apr 12, 2007 (gmt 0)

Ok cool