private function escape($string) {
if(get_magic_quotes_gpc()) $string = stripslashes($string);
return mysql_real_escape_string($string);
}
Working with one of the PHP sites, encountered the above code, i am new to php and i just want to understand what the above code is all about.
please guide
Basically the function takes precautions to a possible SQL injection attack vector, stripping both '" here: if(get_magic_quotes_gpc()) $string = stripslashes($string); from the string if they exist and making sure that only a string without mysql code or other strange chars is send back to the database, done here: return mysql_real_escape_string($string);
But for more details you should really look at the documentation of these functions, what php version you are using, because some functions are deprecated (not used anymore in more recent versions of php)
Okay, "stripslashes" -> Un-quotes a quoted string. Like this:
$str = "Is your name O\'reilly?"; echo stripslashes($str);
// Outputs: Is your name O'reilly?
on the other hand: "get_magic_quotes_gpc" -> Gets the current configuration setting of "magic_quotes_gpc"(which is DEPRECATED in PHP version 5.3.0) ->Sets the magic_quotes state for GPC (Get/Post/Cookie) operations
Last of all: mysql_real_escape_string —> Escapes special characters in a string for use in an SQL statement.( it is also a DEPRECATED Function in PHP 5.5.0)
for debugging purpose you can use 'echo' or 'var_dump' or 'var_export' in your code
mysql_real_escape_string - avoiding special character like '," etc get_magic_quotes_gpc - it's deprecated in after php 5.3 version.it detect magic quotes like /(slashes) that help in avoiding sql injection.
