Lic. Martin Marques wrote:
On Tue, 3 Jan 2006, Thomas -Balu- Walter wrote:
On Tue, Jan 03, 2006 at 11:50:24AM -0300, Lic. Martin Marques wrote:
This is plain stupid. The problem could be in the DB insertion, as you have to escape the '. But ibn a select that backslash shouldn't be there:
I think you got me wrong - my snippet was not meant to correct the problem, but was a personal rant about the magic_quotes problem and a solution I'm using.
Reading again my post, I see it's a bit agressive. What I wanted to say is that, as you said yourself magic_quotes are not a good thing to use. They are disabled by default in php.ini.
Of course I'm adding a slash when querying the database (addslashes() or better mysql_real_escape_string()), but with the snippet you can be sure that the submitted data does not have any automagically added slashes in there you don't need. Then you just have to remember to always add the slashes when querying, not to remove them (if it's enabled) when printing or whatever.
As RC uses PEAR::DB all that has to be done is:
$query = $db->escapeSimple($query);
and PEAR::DB will use the database especific function depending on which DB server you are using. Very nice. :-)
The latest CVS version of RoundCube uses the PEAR::DB quote() method to escape the insert values according to the DB engine. magic_quotes should be disabled in the php.ini because adding stripslashes() to all incoming values is not a good solution and it strips (wanted) slashes on all machines that have disabled magic_quotes.
Regards, Thomas