Do i have to disable magic quotes when using PDO

Question

Simple question and i want simple answer. I'm using PDO prepared statements to make sure my data are safely processed to the database. But im confused. Do i have to disable magic quotes or use stripslashes on variables if magic_quotes are enabled. And after then letting the PDO do the security job ?

Answer 1

If you are using PDO's prepared statements to insert data into your database, the data will go into the database exactly as you insert it. magic_quotes adds slashes to the data: these will therefore be present in the database. This is obviously not what you want.

As you say, disable magic quotes or, if necessary, use stripslashes.

Answer 2

Stage1 - View:

You type somebody's name to <input type="text" name="name"></input>

Stage2 - Model:

Now you post to Model, use $_POST['name'] to fetch somebody's name and write a sql statement:

$sql = "INSERT INTO tableName 'name' VALUES(:name)"; // Then prepare and bindParam

Before you can access database using PDO, your sql statement will be escaped if your gpc is on. That is, somebody's name will be somebody\'s name now. Then you use PDO to access database. But now in the database somebody\'s name is saved, because PDO will not know that the backslash before single quote was added by gpc, instead PDO thinks that you added that backslash before single quote intentionally.

Conclusion: If you use PDO, just turn gpc off.