Home/ Questions/Q 4613050
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T01:29:27+00:00

http://php.about.com/od/finishedphp1/ss/php_login_code_4.htm I am really confused about three particular lines of code in this tutorial

  • 0

http://php.about.com/od/finishedphp1/ss/php_login_code_4.htm

I am really confused about three particular lines of code in this tutorial to create a login page and databse, on the page I have listed above.

if (!get_magic_quotes_gpc()) {

        $_POST['email'] = addslashes($_POST['email']);

    }

Why is she fiddling with the $_POST[’email’] value, when it isn’t even in an input box?

EDIT:

I still cannot find an input box for email, I have even copied and pasted the entire site. I still can’t find one box that says email.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, it doesn’t matter where the content comes from on the page. Any user-submitted content (i.e. anything in the $_GET, $_POST or $_COOKIE superglobals) should be treated as unsafe. Don’t presume that the only way a user can submit evil content is by typing it into a textbox.

    Second, this code is, IMO, dumb. It basically says “if magic quotes are off, do what they’d have done if they were on, by adding slashes to avoid SQL injection”. It’s the lazy way to make your code work. The proper way is to build your code so that magic quotes are unnecessary, by using parametrized queries (e.g. using PDO or mySqli).

    Basically, from that line of code, you can tell enough to know that you shouldn’t trust the rest of it.

    • 0