[geeklog-devel] Forum Issues
Blaine Lang
langmail at sympatico.ca
Wed Feb 26 15:09:52 EST 2003
Dirk Haun" <dirk at haun-online.de> wrote:
> It does NOT apply for quotes in SQL requests - that would be
magic_quotes_runtime.
The way I understood it and my further research today confirms that
magic_quotes_gpc is the correct setting to be checking
If set on - it will already have special characters like ", ' and \ escaped
so it is safe to put them directly into an SQL query.
In effect, this is the same as running addslashes() on every variable passed
from the browser automatically, before you even see them.
Magic_quotes_runtime if on - automatically escapes speciial charactes on the
READ of data from the Database. This is usefull when doing direct database
or table copies. So, I believe my logic is still correct - at least the
approach.
The issue as I recall with just using addslashes() in all cases is that
there will be an extra \ added as I am escaping the quotes twice
I then need to determine on the viewing of the posts as to the server
setting do some magic then - wrong approach IMHO.
The data should be properly handled and prepared before being inserted in
the database and then my view code is the same.
This is the way I wrote it now .. and adding stripslashes randomly in the
code may be an interesting exercise but not the right approach.
Blaine
----- Original Message -----
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Sent: Wednesday, February 26, 2003 12:04 PM
Subject: Re: [geeklog-devel] Forum Issues
> Tom Willett <tomw at pigstye.net> wrote:
>
> >On gplugs, quotes are an issue and the server has gpc quoting on. I
solved
> >this by just commenting out the check for gpc quotes. On a server at my
> >office it also has gpc on the quotes are not an issue. For a test I
> >commented out the gpc test and it worked fine. I think if you just
ignore
> >the gpc quote test, you will be alright.
>
> Actually, I think there's a misunderstanding here as to what the
> magic_quotes_gpc settting is all about. The "gpc" stands for "Get, Post,
> Cookie", i.e. this setting does only apply to the handling of quotes in
> case of GET or POST requests as well as Cookies. It does NOT apply for
> quotes in SQL requests - that would be magic_quotes_runtime.
>
> So, as Tom said, ignoring the magic_quotes_gpc settting and always using
> addslashes() before storing anything in the database would work. This is
> also how Geeklog does it (although that could be considered a bug since
> it doesn't check for the setting of magic_quotes_runtime).
>
> bye, Dirk
>
>
> --
> http://www.haun-online.de/
> http://www.macosx-faq.de/
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel
>
More information about the geeklog-devel
mailing list