Re: SQL injection

Curiously none are security reasons, they are more portability reasons
(and pretty thin ones at that)... but then this is PHP we are talking
about - let me just say register_globals and end it there.

I would have to say that for security purposes - I would want magic
quotes _on_ rather than off for the whole reasons of SQL Injection
that we already talked about.  Generally most scripts I write spend
more time sending data to the DB then re-reading straight from the DB
rather than re-using data pushed through POST/GET, and the functions
that are exceptions auto unescape the data again for me...

Alex

On 11/2/05, Matthew Terenzio <matt@jobsforge.com> wrote:
>
> On Nov 2, 2005, at 6:08 PM, Michael Glaesemann wrote:
>
> > As an aside, it's interesting to see that the PHP documentation states:
> > ---
> > Magic Quotes is a process that automagically escapes incoming data to
> > the PHP script. It's preferred to code with magic quotes off and to
> > instead escape the data at runtime, as needed.
> Haven't been totally immersed in this thread but here are reasons given
> for not using Magic Quotes:
>
> http://us2.php.net/manual/en/security.magicquotes.whynot.php
>
> And here is pg_escape_string() :
>
> http://us3.php.net/manual/en/function.pg-escape-string.php
>
>