Home > mailing lists

8.1.4: Who says "PHP deprecated addslashes since 4.0"? - Mailing list pgsql-general

From	ljb
Subject	8.1.4: Who says "PHP deprecated addslashes since 4.0"?
Date	May 25, 2006 00:42:18
Msg-id	e52ugo$1hnk$1@news.hub.org Whole thread Raw
Responses	Re: 8.1.4: Who says "PHP deprecated addslashes since 4.0"? (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-general

Tree view

The PostgreSQL-8.1.4 release documentation says we should be using
PostgreSQL-supplied string escaping routines, not "homebrew" methods.
No argument from me on this.

But in the "User Guide to the 8.1.4 Security Update", it says:
|  An example of an application at risk is a PHP program that uses
|  addslashes() or magic_quotes. We note that these tools have been deprecated
|  by the PHP group since version 4.0.

Can anyone provide a source for the statement? It's odd, since PHP-4.0 was
released on 2000-05-22, shortly after PostgreSQL-7.0, and the PQescapeString()
function wasn't even added to libpq until PostgreSQL-7.2 almost 2 years later.

The current PHP reference manual doesn't discourage use of addslashes() for
database input. I agree with you - this is wrong - but where did the
"We note... deprecated by the PHP group since version 4.0" line come from?

pgsql-general by date:

From: "Alejandro Michelin Salomon $ Adinet $"
Date: 25 May 2006, 00:09:39
Subject: RES: PK with an expression in field list

From: TJ O'Donnell
Date: 25 May 2006, 01:05:57
Subject: Re: recompliing c-language functions with new releases of postgres

8.1.4: Who says "PHP deprecated addslashes since 4.0"? - Mailing list pgsql-general

Previous

Next