It's a feature of PHP that it automatically escapes data submitted in
PUT/GET/etc.
It's nice in that it adds to how secure PHP code is, but it can be a hassle.
Not sure if there is a function which removes escape characters will leaving
normal backslashes alone. If you REALLY need to turn it off
It's a feature of PHP that it automatically escapes data submitted in
PUT/GET/etc.
It didn't seem to be happening with POST which is why I thought it odd, but
that probably means I didn't test properly :-)
It's nice in that it adds to how secure PHP code is, but it can be a
hassle.
Out of
Hi Mark,
It's nice in that it adds to how secure PHP code is, but it can be a
hassle.
Out of curiousity, what are the security implications? Presumably a
failure
to validate input properly leading to unintended actions, but I can't
think
of any examples to help me decide whether to turn
I saw an article just a few days ago on Hacking PHPNuke that was an
excellant example of how the escape GPS thing saved a program from a major
security hole caused by a very minor oversite in less than 0.01% of the
code. Can't remember the name of the site...I think it was linked from
Anyway, it's not a big thing if you're _really_ stringent about how you
check every single variable which is used in a database query,
system/passthru/exec, or eval command, and your checking methods are
flawless, but otherwise it's just best to go to the trouble of hacking
around the input
Basically, use one of the escape functions :)
For instance, looking at this piece of code:
$result = mysql_query(SELECT * FROM table WHERE username='$username' AND
password='$password');
Now, you have the variables $username and $password to worry about. Now we
ask ourselves, what characters
Anyway, it's not a big thing if you're _really_ stringent about how you
check every single variable which is used in a database query,
system/passthru/exec, or eval command, and your checking methods are
flawless, but otherwise it's just best to go to the trouble of hacking
around the input
7 matches
Mail list logo