ID: 41250 Updated by: [EMAIL PROTECTED] Reported By: david at emomentum dot co dot uk Status: Bogus Bug Type: Filter related Operating System: Windows XP PHP Version: 5CVS-2007-05-01 (snap) New Comment:
You should use bind/prepared queries for SQL, definitely *not* the magic quotes filter. Previous Comments: ------------------------------------------------------------------------ [2007-05-02 12:20:43] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Neither example actually filters backslash. First example doesn't even see backslash since \' is parsed as one symbol - single quote, escaped by the backslash. I think if you intend to use it with SQL it's better to use either FILTER_SANITIZE_MAGIC_QUOTES or encoding filter. ------------------------------------------------------------------------ [2007-05-01 09:52:31] david at emomentum dot co dot uk Description: ------------ The filter FILTER_SANITIZE_STRING only filters out a backslash when it is escaping something. This means if a backslash is entered into a form without escaping anything, it will not be filtered and could be executed into SQL, therefore triggering an escape within the SQL and generating an error. Reproduce code: --------------- <?php $value = '\'example'; echo filter_var($value, FILTER_SANITIZE_STRING).'<br />'; $value = '\example'; echo filter_var($value, FILTER_SANITIZE_STRING).'<br />'; ?> Expected result: ---------------- 'example example Actual result: -------------- 'example \example ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41250&edit=1
