Quote:
Originally Posted by sde
i think he means PHP 5.
i still don't see why it would be happening if the full content of the textarea being submitted is the same as it was on the previous page.
|
yes but magic_quotes is bad so his code should run like:
PHP Code:
<?php
// roll-back freakin scary hosts messed data
if (get_magic_quotes_gpc())
{
$_POST['testvar'] = stripslashes($_POST['testvar']);
}
if ($_POST['preview'])
{
?>
<hr />
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<textarea name="testvar" id="testvar"><?php echo htmlspecialchars($_POST['testvar']); ?></textarea>
<input type="submit">
</form>
<?php
} else {
mysql_query('INSERT INTO table (text) VALUES (\''.mysql_real_escape_string($articleText).'\')');
// or
mysql_query( sprintf('INSERT INTO table (text) VALUES (\'%s\')', mysql_real_escape_string($_POST['testvar'])) );
}
1. never rely on magic_quotes so get rid of it
2. always convert to html entities on output (htmlspecialchars for example)
3. always use the database *sql_(real_)escape_string function
By doing that you have the safest environment or you get big security holes.
There's no danger having magic_quotes on other then programmers relying on it, because when it gets turned off there are loads of security holes popping up.
magic_quotes was designed to overcome the security risks involved with programmers not validating input data so that data was already escaped before some messy security holed script runs it.
I can go in detail but mainly speaking: magic_quotes = on = getting sloppy at coding
Look at your code for example, did you ever consider using mysql_real_escape_string?