It’s not necessary to convert them, but it does help.
The two main rules are:
[list][]Never trust database input
[]Always escape database output[/list]
Getting Consistent Inputs
When values come in from $_GET or $_POST, they might have magic quotes applied to them, or they might not. If they do, the magic quotes aren’t enough protection, so any magic quotes need to be removed, and replaced with a stronger form of protection.
You can remove the ineffective magic quotes by using a common function to get user input.
function get($key, $source=$_GET) (
$item = $source[$key];
return stripslashes($item);
}
If you think you’ll want to deal with array-like structures, such as multiple checkboxes with the same name from a form, then the above function can be updated to handle that too.
Now that magic quotes have been stripped, we now have the same value regardless of whether magic quotes are enabled or not. This is important, because as of PHP 6.0 (the next release after the current 5.3) there will be no more magic quotes.
Protect the Database
Protecting the database is a matter of using mysql_real_escape_string on all of the values for your [url=“http://www.php.net/manual/en/function.mysql-query.php”]mysql database queries. If you use mysqli instead, there are other techniques such as [url=“http://www.php.net/manual/en/mysqli.prepare.php”]binding parameters that can help you to protect the database from those inputs instead.
Both of those links above provide good example code that demonstrates how to protect your database from user input.
Escape From the Database
When retrieving data from your database, the technique you use to escape the data depends on how it’s going to be used. htmlentities is a good standard technique to use.
I’m not sure on what the consensus is between using htmlentities and [url=“http://php.net/manual/en/function.htmlspecialchars.php”]htmlspecialchars. Some devices don’t understand htmlentities, but if you’re only outputting to html devices then there should be no trouble.
If you’re intending to output a link though, intended for the url, then urlencode is the function to use there.
The mysql_real_escape_string function is not and should not be used for outputting values. It is only of good use for escaping data, in order to protect the database from bad values.