Hi;
I am trying to learn PHP so please forgive my confusion here but I am trying to display a comments section in my web page and a book that I using suggests that I
use the stripslashes() when i display my text i.e. <? echo stripslashes($_POST[comments]); ?>.
The other table columns that I display work without a problem i.e. <? echo "$_POST[field1]"; >?
The example that I am using is PHP 6 by Julie Meloni and Matt Telles published by Thompson Learning.
So what is the correct syntax for passing $_POST[comments] to stripslashes() ?
Thanks for your answers !
Problem with stripslashes function
Moderator: General Moderators
-
onshoreguy
- Forum Newbie
- Posts: 1
- Joined: Wed Jul 10, 2013 5:43 pm
- mecha_godzilla
- Forum Contributor
- Posts: 375
- Joined: Wed Apr 14, 2010 4:45 pm
- Location: UK
Re: Problem with stripslashes function
Hi,
The issue with needing to use stripslashes (or not) is that your script may or may not be escaping single quotes (') prior to inserting the guestbook comments into a database. What this means in practice is that if I enter
Your site is so much better than Joe's site!
in your comments field then by the time your script has processed the form values it may end up looking like
Your site is so much better than Joe\'s site!
which is fine if you are about to insert the guestbook comments into your database, but not so good when you want to display the comments field in your page again after the form has been submitted (which is where stripslashes comes into play). As you say you're currently learning PHP, I'll just mention the fact that inserting any text in a MySQL database query that contains an unescaped single quote will cause the query to fail, because single quotes are used as delimiters for values inside the query and MySQL gets confused if single quotes start appearing in places where it doesn't expect them to be.
There is also a situation whereby PHP automatically escapes single quotes without your intervention - this is because it may be using the "magic quotes" setting (now deprecated). You can check to see whether magic quotes are enabled with this code:
The magic quotes functionality was deprecated for a good reason (namely that data was automatically being processed whether you wanted PHP to do this or not) and historically this used to create a lot of problems with 3rd party software, because some software relied on magic quotes being switched on while other software specifically needed it switched off.
Technically, from a security perspective it is not sufficient to just escape single quotes as there are other ways to compromise or break a database query, so you might also want to research how the mysql_real_escape_string() and mysqli_real_escape_string() functions work. Before you do that though, try and ascertain whether your script is actually escaping single quotes in the first instance by replacing
with
Also, you should always assume that *all* values in your form will need to escaped prior to insert the guestbook comments into your database, because someone's name might turn out to be John O'Reilly and the database query will fail because of the single quote.
HTH,
Mecha Godzilla
The issue with needing to use stripslashes (or not) is that your script may or may not be escaping single quotes (') prior to inserting the guestbook comments into a database. What this means in practice is that if I enter
Your site is so much better than Joe's site!
in your comments field then by the time your script has processed the form values it may end up looking like
Your site is so much better than Joe\'s site!
which is fine if you are about to insert the guestbook comments into your database, but not so good when you want to display the comments field in your page again after the form has been submitted (which is where stripslashes comes into play). As you say you're currently learning PHP, I'll just mention the fact that inserting any text in a MySQL database query that contains an unescaped single quote will cause the query to fail, because single quotes are used as delimiters for values inside the query and MySQL gets confused if single quotes start appearing in places where it doesn't expect them to be.
There is also a situation whereby PHP automatically escapes single quotes without your intervention - this is because it may be using the "magic quotes" setting (now deprecated). You can check to see whether magic quotes are enabled with this code:
Code: Select all
if (get_magic_quotes_gpc()) {
echo 'magic quotes is enabled';
} else {
echo 'magic quotes is disabled';
}Technically, from a security perspective it is not sufficient to just escape single quotes as there are other ways to compromise or break a database query, so you might also want to research how the mysql_real_escape_string() and mysqli_real_escape_string() functions work. Before you do that though, try and ascertain whether your script is actually escaping single quotes in the first instance by replacing
Code: Select all
<? echo stripslashes($_POST[comments]); ?>Code: Select all
<? echo $_POST[comments]; ?>HTH,
Mecha Godzilla