Re: Anyone have some basic security tips for PHP-programmers?

[Tommy Gildseth <tommy () akili no>]

Härnhammar wrote:
> Quoting tim () xi co nz:
>
>
> > From my point of view, magic_quotes is a bad idea, because
> > it can't possibly cover every way data can enter your
> > script, and it's counterproductive when you want to do other
> > things with that data.
>
>
> I agree.
>
> One more argument against magic quotes is that they provide a false sense of 
> security, by not helping against some common cases of SQL Injections: the ones 
> where you don't need to use any apostrophes or quotes.

Yes, but none of your examples overlap with the piece of code I was 
commenting on. Ie, the original code doesn't solve any of the problems 
you have described here.
This is also why I further down remark that this kind of filtering is 
inadequate, and that you should instead relly on functions like 
is_numeric() and mysql_escape_string() etc.
As far as I have experienced, it's not a problem to ignore wether magic 
quotes is on or not. Just act os if they are not.
My point in mentioning magic quotes was that the code shown, was 
esentially duplicating functionality allready built into and turned on 
by default in PHP.

Tommy