I really dislike PHP's magic quotes. In the previous post I had them enabled, which is why all the ' have a \ before them. I turned them off now. They're really a stupid way of handing data, they only make it so people are lazy when attempting to write database driven apps. Here's a quick lession in using a database from a programming language.


The Classic and (Horribly insecure method):

execute("select * from foo where bar= "+$variable);

Using this method, we just append the variable to the sql statement. Using this method, someone could send a specific value for varable that could turn that statement into "select * from foo where bar=bar;select * from users" Magic Quotes was suppost to fix the "SQL injection" by automatically escaping the values for you, preventing you from doing this kind of thing.

The proper way to call a database query:

$statement = prepare("select * from foo where bar = ?");
$statement.setParameter(1,variable);
$statement.execute();

Now, dosn't that look both easier to maintain and more secure? The library handles escaping anything it needs to. This way we don't have to rely on special features of the environment that may or may not be turned on. And by using parameters, we can remove a nasty looking string from our code, and move the variable to parameter mapping out of the sql statement.

Update - 3/28/2005 11:31pm: I can now Edit posts!

--Eric