i practicing php , puzzled while interpreting function escape dangerous sql characters. want know how works $value in second if. quiet puzzling me understand actual flow of function.
function quote_smart($value, $handle) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value, $handle) . "'"; } return $value; }
what code basically;
first removes effect of magic_quotes_gpc if , if it's enabled in server. should not since magic_quotes has been deprecated while (and removed entirely in new php versions).
second, encloses non numeric values of
$valuein single quotes, , escapes value usingmysql_real_escape_stringavoid sql injection in value string.
using recent versions of php, method should not exist @ all, since magic_quotes_gpc should never enabled, , you'd using pdo or mysqli parameterized queries not need values escaped.
Comments
Post a Comment