Page 1 of 1
addslashes & stripslashes
Posted: Thu Mar 27, 2003 10:54 pm
by jogen143
can some one give me a good explanation on addslashes and stripslashes, when it should be used, i know that its used when insert and retrieve data from the database, but when it is neccesarry to use. I have done a database driven php site without using addslashes ans strip slashes its working fine, but I still confused about this, please help.
Thanks
it keeps the peace
Posted: Thu Mar 27, 2003 11:11 pm
by mattd
It's very true, you can create a full featured database drivin web site without addslashes. But, for example, what if you had a table field of "Name" and someone put in the form field (of name) "Ye 'ol man". MySQL would get confused becuase of the "'", addslashes makes data fully compatable with sql query's.
Posted: Fri Mar 28, 2003 7:05 am
by McGruff
Quotes tell mysql that 'string starts here ..... and ends here' so if you have quotes inside a text string they need to be escaped so they're not interpreted as start/end, as mentioned above.
Escaping strings in DB queries is also essential as a security measure. I'd htmlspecialchars() as well to neutralise stuff like <script> and <meta> if you've got user-submitted text which will eventually be output in a browser.
Also look at mysql_escape_string() and magic quotes gpc for other slashing functions. I'd guess you've got magic quotes on if you haven't had any problems yet.
If you don't already have it, the downloadable php manual from php.net is a good reference point - get the version with user comments.