ID: 40113 Updated by: [EMAIL PROTECTED] Reported By: romik at aha dot ru -Status: Feedback +Status: Open Bug Type: Documentation problem PHP Version: Irrelevant Assigned To: colder New Comment:
The only thing about that quote_smart() function that is not really good is that it will call stripslashes() on every vars if magic_quotes_gpc is on, even if the var is not comming from GPC. I'll change this example. Previous Comments: ------------------------------------------------------------------------ [2007-01-16 10:38:34] [EMAIL PROTECTED] This function will ensure that everything passed to it will be returned either as 1) a quoted string whit escaped chars inside. 2) a numeric string without quotes around. It also takes care about magic_quotes_gpc being on/off. I fail to see how your "best practice section" proposition is better. I also fail to see how "second-order" injections are doable when using such function. ------------------------------------------------------------------------ [2007-01-12 21:01:53] romik at aha dot ru Description: ------------ There is an example function quote_smart() in the mysql_real_escape_string() documentation, Example 3. It demonstrates awfully wrong way on escaping! And allows second-order SQL injection (when data coming not from input but from database). I believe, this example should be removed from documentation. The best practice section should be like this : "If you want to handle quotes in the right way, you have to get rid of magic quotes first. By configuration or by function included into each script. And then quote all data manually, using mysql_real_escape_string()" or something like that. But there also a lot of pitfails and remarks. Actually, I've got a whole article named "complete quotes guide" but it written in russian and I'm not sure my english is good enough to translate . ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40113&edit=1