Results 1 to 3 of 3

Thread: Input filtering...

Threaded View

  1. #3
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: Input filtering...

    This is bad in principle. That snippet of code makes the big and dangerous assumption that GET and POST variables are only ever to be used in SQL queries built using string concatenation.

    There are two problems with this assumption:
    — You shouldn't be building queries using concatenation. Use parameters (unless you're stuck with a stone-age environment).
    — It's wrong.

    Also, the $HTTP* variables are deprecated. Use $_POST and $_GET instead.


    The case where you might want something like your snippet is the converse: Where your code might be run on a system with "magic quotes" enabled. In this case you should be removing character escape sequences wrongly added by the magic quotes "feature":
    PHP Code:
    if (@get_magic_quotes_gpc())
    {
      
    array_walk_recursive($_GET"stripslashes");
      
    array_walk_recursive($_POST"stripslashes");
      
    array_walk_recursive($_COOKIE"stripslashes");

    Last edited by penagate; May 20th, 2009 at 08:27 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width