Is mysql_real_escape_string necessary if magic_quotes are enabled in PHP?
If magic_quotes are enabled in PHP, it automatically escapes incoming data from forms, GET, and POST requests. This means that using mysql_real_escape_string is not necessary as the data is already being escaped. However, it is important to note that magic_quotes is deprecated as of PHP 5.3.0 and removed in PHP 5.4.0, so it is recommended to use prepared statements or mysqli_real_escape_string instead.
// Check if magic_quotes are enabled
if(get_magic_quotes_gpc()) {
$name = stripslashes($_POST['name']);
$email = stripslashes($_POST['email']);
// Use the escaped values in your SQL query
} else {
// If magic_quotes are not enabled, use mysqli_real_escape_string or prepared statements
}
Related Questions
- How can the use of mysqli_* or PDO in PHP improve database security and prevent SQL injections when working with user favorites?
- How can array access be optimized in PHP when accessing multiple keys simultaneously?
- How can the use of AJAX be optimized in the context of dynamically generating multiple choice quizzes from text files in a server-based translator game?