Escaping Data, Postgres, PHP Versions

telirium

I can’t seem to find an answer to this problem through web searches, the boards here or the manuals although I’ll readly to admit I might be too dumb to find it. I’ve run into a problem escaping data, on systems not running PHP 4.3.2. Data sent to Postgres via pg_exec, or pg_query seems to be escaped automatically in PHP 4.3.2 however running later versions of PHP doesn’t seem to do this and I have to use pg_escape_string.

I guess I have two questions. One, is the problem with data escaping automatically a problem with the PHP version (as it seems to behave differently according to the version as I mentioned above) or is related to the version of Postgres I’m using? Or is it something else completely? And two if I’m forced to use pg_escape_string was is the most effective way of stripping out the “\”’s without removing any the user may have entered? Thank in advance for any help.

Sxooter

look up magic_quotes_gpc and magic_quotes_runtime. You likely just need to edit your php.ini file and you're done.

csn

It's best to leave magic_quotes_gpc off and do the escaping yourself. After all, you already do do data checking before passing values to database queries (right? ;P )? pg_escape_string is just another step. You also won't have to unescape values in various places. There are some examples of functions in the PHP docs that will escape vars (containing strings, arrays, objects, ...).

http://us2.php.net/manual/en/function.pg-escape-string.php
http://us2.php.net/manual/en/function.get-magic-quotes-gpc.php
http://us2.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc