Home > Archive > PHP Pear > March 2005 > Re: [PEAR] DataObject adding extra slashes
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: [PEAR] DataObject adding extra slashes
|
|
| Justin Patrin 2005-03-30, 3:57 pm |
| On Wed, 30 Mar 2005 10:41:55 +1000, Dan Rossi <pear@electroteque.org> wrote:
> It has come to my attention, when I used setFrom($_POST)
>
> some of the data is already adding slashes to quotes when posted,
> DataObject however is already adding slashes is there a way to stop
> this ?
>
> Here is something in a function i had used for generating sql from post
> arrays, it was dodgy but worked :|
>
> if (!get_magic_quotes_gpc()) {
> $vals .= "'".addslashes($value)."'".$delimiter;
> } else {
> $vals .= "'".$value."'".$delimiter;
> }
>
> should this be patched to dataobject or MDB2 or DB quote method ?
>
Magic quotes is really not something that should be used. Period.
Please read my FAQs about it (and other things).
http://opensource.21st.de/tiki-index.php?page=PHPFAQs
DB_DataObject uses DB's quoteSmart method to escape quotes correctly
for the database you're using. While Mysql is basically the same as
addslashes (which is what magic_quotes does) Oracle, for instance,
uses double single quotes for a single quote in data.
'don''t you like quotes?'
It does this because it assumes that what you give it is the data you
want to insert. There is no reason this should be turned off.
If you can't turn off magic_quotes (which I strongly suggest you do)
then you should run stripslashes in your $_POST array before using it.
(Additionally you should do the same on $_GET, $_REQUEST, and $_COOKIE
if you use them).
--
Justin Patrin
| |
| Robin Ericsson 2005-03-30, 3:57 pm |
| Justin Patrin wrote:
> If you can't turn off magic_quotes (which I strongly suggest you do)
> then you should run stripslashes in your $_POST array before using it.
> (Additionally you should do the same on $_GET, $_REQUEST, and $_COOKIE
> if you use them).
Richard Heyes wrote a good summary on it:
http://www.phpguru.org/#24
--
Robin Ericsson
http://robin.vill.ha.kuddkrig.nu/
| |
| Dan Rossi 2005-03-30, 8:57 pm |
| cheers, i'll just turn it off with ini_set :) Anyway magic quotes has
caused some annoying issues in the passed where i have addslashes and
made extra slashes in the data.
On 31/03/2005, at 3:04 AM, Justin Patrin wrote:
> On Wed, 30 Mar 2005 10:41:55 +1000, Dan Rossi <pear@electroteque.org>
> wrote:
>
> Magic quotes is really not something that should be used. Period.
> Please read my FAQs about it (and other things).
> http://opensource.21st.de/tiki-index.php?page=PHPFAQs
>
> DB_DataObject uses DB's quoteSmart method to escape quotes correctly
> for the database you're using. While Mysql is basically the same as
> addslashes (which is what magic_quotes does) Oracle, for instance,
> uses double single quotes for a single quote in data.
>
> 'don''t you like quotes?'
>
> It does this because it assumes that what you give it is the data you
> want to insert. There is no reason this should be turned off.
>
> If you can't turn off magic_quotes (which I strongly suggest you do)
> then you should run stripslashes in your $_POST array before using it.
> (Additionally you should do the same on $_GET, $_REQUEST, and $_COOKIE
> if you use them).
>
> --
> Justin Patrin
>
> --
> PEAR General Mailing List (http://pear.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
| |
| bertrand Gugger 2005-03-31, 8:56 am |
| Hi !
Dan Rossi wrote:
> cheers, i'll just turn it off with ini_set :)
Is it not too late :) ?.
When control is passed to the script the "magie" is done.
> On 31/03/2005, at 3:04 AM, Justin Patrin wrote:
>
>
Unfortunately, hosted don't choose :(
à+
--
bertrand Gugger
http://toggg.com/
|
|
|
|
|