addslashes & stripslashes

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jogen143
Forum Newbie
Posts: 15
Joined: Tue Mar 25, 2003 2:51 am

addslashes & stripslashes

Post by jogen143 »

can some one give me a good explanation on addslashes and stripslashes, when it should be used, i know that its used when insert and retrieve data from the database, but when it is neccesarry to use. I have done a database driven php site without using addslashes ans strip slashes its working fine, but I still confused about this, please help.


Thanks
mattd
Forum Newbie
Posts: 6
Joined: Wed Mar 26, 2003 10:10 pm

it keeps the peace

Post by mattd »

It's very true, you can create a full featured database drivin web site without addslashes. But, for example, what if you had a table field of "Name" and someone put in the form field (of name) "Ye 'ol man". MySQL would get confused becuase of the "'", addslashes makes data fully compatable with sql query's.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Quotes tell mysql that 'string starts here ..... and ends here' so if you have quotes inside a text string they need to be escaped so they're not interpreted as start/end, as mentioned above.

Escaping strings in DB queries is also essential as a security measure. I'd htmlspecialchars() as well to neutralise stuff like <script> and <meta> if you've got user-submitted text which will eventually be output in a browser.

Also look at mysql_escape_string() and magic quotes gpc for other slashing functions. I'd guess you've got magic quotes on if you haven't had any problems yet.

If you don't already have it, the downloadable php manual from php.net is a good reference point - get the version with user comments.
Post Reply