Hi,
The issue with needing to use stripslashes (or not) is that your script may or may not be escaping single quotes (') prior to inserting the guestbook comments into a database. What this means in practice is that if I enter
Your site is so much better than Joe's site!
in your comments field then by the time your script has processed the form values it may end up looking like
Your site is so much better than Joe\'s site!
which is fine if you are about to insert the guestbook comments into your database, but not so good when you want to display the comments field in your page again after the form has been submitted (which is where stripslashes comes into play). As you say you're currently learning PHP, I'll just mention the fact that inserting any text in a MySQL database query that contains an unescaped single quote will cause the query to fail, because single quotes are used as delimiters for values inside the query and MySQL gets confused if single quotes start appearing in places where it doesn't expect them to be.
There is also a situation whereby PHP automatically escapes single quotes without your intervention - this is because it may be using the "magic quotes" setting (now deprecated). You can check to see whether magic quotes are enabled with this code:
Code: Select all
if (get_magic_quotes_gpc()) {
echo 'magic quotes is enabled';
} else {
echo 'magic quotes is disabled';
}
The magic quotes functionality was deprecated for a good reason (namely that data was automatically being processed whether you wanted PHP to do this or not) and historically this used to create a lot of problems with 3rd party software, because some software relied on magic quotes being switched on while other software specifically needed it switched off.
Technically, from a security perspective it is not sufficient to just escape single quotes as there are other ways to compromise or break a database query, so you might also want to research how the mysql_real_escape_string() and mysqli_real_escape_string() functions work. Before you do that though, try and ascertain whether your script is actually escaping single quotes in the first instance by replacing
Code: Select all
<? echo stripslashes($_POST[comments]); ?>
with
Also, you should always assume that *all* values in your form will need to escaped prior to insert the guestbook comments into your database, because someone's name might turn out to be
John O'Reilly and the database query will fail because of the single quote.
HTH,
Mecha Godzilla