Possible Duplicate:
Examples of SQL Injections through addslashes()?
I'm working with a PHP application I've inherited and it's... interesting.
Among many interesting methods of securing the website is the use of magic quotes around everything, which as I understand basically casts addslashes() around every $_GET and $_POST variable.
The previous programmer insists that this makes the website impervious and I've read that this would only make the website vulnetrable if the mySQL table is using GBK encoding and it's not, everything's using latin1 encoding.
Practicalities [and the fact that I'm basically only a temp here] mean that rewriting the website using PDO isn't going to happen, but would it be worth turning magic quotes off (hence not using the addslashes() method) and casting mysql_real_escape_string() around each variable as appropriate?
