ID: 40113 Updated by: [EMAIL PROTECTED] Reported By: romik at aha dot ru -Status: Open +Status: Feedback Bug Type: Documentation problem PHP Version: Irrelevant -Assigned To: +Assigned To: colder New Comment:
This function will ensure that everything passed to it will be returned either as 1) a quoted string whit escaped chars inside. 2) a numeric string without quotes around. It also takes care about magic_quotes_gpc being on/off. I fail to see how your "best practice section" proposition is better. I also fail to see how "second-order" injections are doable when using such function. Previous Comments: ------------------------------------------------------------------------ [2007-01-12 21:01:53] romik at aha dot ru Description: ------------ There is an example function quote_smart() in the mysql_real_escape_string() documentation, Example 3. It demonstrates awfully wrong way on escaping! And allows second-order SQL injection (when data coming not from input but from database). I believe, this example should be removed from documentation. The best practice section should be like this : "If you want to handle quotes in the right way, you have to get rid of magic quotes first. By configuration or by function included into each script. And then quote all data manually, using mysql_real_escape_string()" or something like that. But there also a lot of pitfails and remarks. Actually, I've got a whole article named "complete quotes guide" but it written in russian and I'm not sure my english is good enough to translate . ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40113&edit=1
