What is the differences btw addslashes, stripslashes etc

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
adsegzy
Forum Contributor
Posts: 184
Joined: Tue Jul 28, 2009 9:26 am

What is the differences btw addslashes, stripslashes etc

Post by adsegzy »

Hello there, pls i need to know the differences between the followings and if they can be used interchangeably.
  • addslashes
    stripslashes
    mysql_real_escape_string
    mysql_escape_string
I have read many articles on the above that are complicating. One of them says you use addslashes to insert into database and stripslashes to retrieve from database. But whenever i use addslashes for my form, after submiting the form, any text that has special characters like ' or " will display 3 backslashes before the character. if i use mysql_real_escape_string or mysql_escape_string, the form will return \r\n in place of the character. but if i use stripslashes it will return every special character the normal way without any problem. so which is the best?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: What is the differences btw addslashes, stripslashes etc

Post by social_experiment »

The Manual wrote:addslashes() - Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
The Manual wrote:stripslashes - Un-quotes a quoted string.
The Manual wrote:mysql_real_escape_string() — Escapes special characters in a string for use in a SQL statement
Addslashes() can be used to escape quotes string that goes into the database, but that is actually mysql_real_escape_string()'s job. Stripslashes() removes any slashes that were added by the other two functions (if any)

mysql_escape_string() is deprecated and you should use mysql_real_escape_string() instead.
adsegzy wrote:if i use mysql_real_escape_string or mysql_escape_string, the form will return \r\n in place of the character. but if i use stripslashes it will return every special character the normal way without any problem. so which is the best?
If you want your data to display correctly you would probably continue using your current process. The escaping is there to prevent injection attempts.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply