ljb wrote:
> tgl(at)sss(dot)pgh(dot)pa(dot)us wrote:
>
>> ljb <ljb220(at)mindspring(dot)com> writes:
>>
>>> | addslashes() or magic_quotes. We note that these tools have been deprecated
>>> | by the PHP group since version 4.0.
>>>
>>> Can anyone provide a source for the statement?
>>>
>> I'm not going to put words in Josh's mouth about where he got that from,
>> but anyone who reads all of the comments at
>> http://us3.php.net/manual/en/function.addslashes.php
>> ought to come away suitably unimpressed with the security of that
>> function.
>>
>
> Yes, sorry, I did see those comments, although I don't think they are from
> the PHP group themselves. But I missed the statement on the pg_escape_string
> manual page saying "use of this function is recommended instead of
> addslashes()". I still think "since version 4.0" is wrong.
>
Better yet, use PEAR::DB or some other db abstraction package that will
handle all of this for you.