Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Anyone have some basic security tips for PHP-programmers?
From: Tommy Gildseth (tommyakili.no)
Date: Sat Nov 22 2003 - 18:10:37 CST
> Quoting timxi.co.nz:
>>From my point of view, magic_quotes is a bad idea, because
>>it can't possibly cover every way data can enter your
>>script, and it's counterproductive when you want to do other
>>things with that data.
> I agree.
> One more argument against magic quotes is that they provide a false sense of
> security, by not helping against some common cases of SQL Injections: the ones
> where you don't need to use any apostrophes or quotes.
Yes, but none of your examples overlap with the piece of code I was
commenting on. Ie, the original code doesn't solve any of the problems
you have described here.
This is also why I further down remark that this kind of filtering is
inadequate, and that you should instead relly on functions like
is_numeric() and mysql_escape_string() etc.
As far as I have experienced, it's not a problem to ignore wether magic
quotes is on or not. Just act os if they are not.
My point in mentioning magic quotes was that the code shown, was
esentially duplicating functionality allready built into and turned on
by default in PHP.