Re: %27 and ' - urlencode

Geoff Berrow said the following on 09/09/2005 13:10:
> I noticed that Message-ID: <43216bc2$1@news1.homechoice.co.uk> from
> elyob contained the following:
>
>
>>Great stuff. Thanks for that, the default php.ini had this. It's now gone. I
>>seem to remember one of the main PHP developers writing that magic quotes is
>>stupid and should be dropped.
>
>
> You only need to url encode data that is going in a URL (duh...).
>
> And don't forget that your database security is now down to you in this
> and all future projects.

Yes, I'll echo that sentiment.

>
> (you could have just used stripslashes() )

IMO, using mysql_real_escape_string() once to put a value into a SELECT
query is far less annoying than having to use stripslashes() all over
the place...

Furthermore, magic quotes don't escape all the necessary characters to
make a string safe for SQL.

-- 
Oli