Please, enlighten us all and demostrate a case of SQL Injection that
gets around magic quotes. I know am I trying to think of one - and I
can't come up with one. Instead of just claiming it to be 'evil' why
don't you actualy back the statement up with some reasoned arguments?
I hate FUD.
Alex
On 11/3/05, Hannes Dorbath <light@theendofthetunnel.de> wrote:
> On 03.11.2005 04:12, Alex Turner wrote:
> > I would have to say that for security purposes - I would want magic
> > quotes _on_ rather than off for the whole reasons of SQL Injection
> > that we already talked about.
>
> magic_quotes is evil and does if anything only prevent the simplest
> cases of SQL injections. Keep it turned off. Use
> http://php.net/pg_query_params exclusively to build secure queries..
>
>
> --
> Regards,
> Hannes Dorbath
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>
