add/stripslashes()

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
timmy
Forum Newbie
Posts: 15
Joined: Fri Apr 19, 2002 9:45 am
Location: Calgary, AB

add/stripslashes()

Post by timmy »

What is the purpose of using the add/stripslashes functions? I've seen some people use addslashes when entering info into a db, then stripping them when querying. Is there an advantage to doing this, as opposed to just putting raw data in the fields?
User avatar
sam
Forum Contributor
Posts: 217
Joined: Thu Apr 18, 2002 11:11 pm
Location: Northern California
Contact:

Post by sam »

Of course... If you are putting data that has a ' in in tito a database it will give you an sql error, IE:

Code: Select all

$name = "Sam's stuff";
mysql_query("SELECT * FROM users WHERE username='$name'");
// not gonna happen
mysql_error();
Mysql will return an error about improper syntax, because the ' in sam's will result in mysql thinking that is the end of the data to find in username and then it will not know how to handle "s Stuff".

Cheers Moe
timmy
Forum Newbie
Posts: 15
Joined: Fri Apr 19, 2002 9:45 am
Location: Calgary, AB

Post by timmy »

Thanks alot!
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Also if you are calling data from a database to display on screen then you need to use the stripslashes() function.

For instance if you have the value O'Reilly stored in a database and use PHP to store it to a variable called $name, doing:

Code: Select all

echo $name;
will output: O''Reilly

However,

Code: Select all

echo stripslashes($name);
will output: O'Reilly

Mac
leenoble_uk
Forum Contributor
Posts: 108
Joined: Fri May 03, 2002 10:33 am
Location: Cheshire
Contact:

add(add)stripslashes...

Post by leenoble_uk »

Something you should be aware of when updating and calling 'slashed' information from a MySQL database. I worked this out for myself today after a little hair tearing...
Let's say you have put on the text [Test "X"] into a form field. I'm using square brackets because quotes is gonna get confusing.
So $string = [Test "X"];
to put this in a database you have to slash it...
so $stringSLASHED = addslashes($string);
INSERT VALUES('$stringSLASHED') INTO databasename;

Now your database looks like this:

+------------+
| Data |
+------------+
| Test "X" |
+------------+

BUT!!! To get it out again you can't do a select where data=$stringSLASHED. You'll see why if we write it out in full.

SELECT * FROM databasename WHERE data="Test "X"";

mysql> Empty Set (0.16 sec)

Now why would that be?

Because the backslashes are special characters telling MySQL to look for the next character. Therefore to find a match you have to slash the slashes.

$stringDOUBLESLASH = addslashes($stringSLASHED);

SELECT * FROM databasename WHERE data="$stringDOUBLESLASH";

which translates as:

SELECT * FROM databasename WHERE data="Test \"X\"";

mysql> 1 row in set (0.2 sec)

+-----------+
| Data |
+-----------+
| Test "X"|
+-----------+

Confused yet?
User avatar
sam
Forum Contributor
Posts: 217
Joined: Thu Apr 18, 2002 11:11 pm
Location: Northern California
Contact:

Post by sam »

There is really no need to worry about that though, if you have to addslashes to an index column you should think about redesgnin your database.

Cheers Moe :mrgreen:
leenoble_uk
Forum Contributor
Posts: 108
Joined: Fri May 03, 2002 10:33 am
Location: Cheshire
Contact:

Why?

Post by leenoble_uk »

I'm interested to know why you think no database should contain slashes.
I'm not flaming or anything, I'd just like you to suggest an alternative way of storing such information. I am using such a database for a client and although currently there is nothing in his stock list which requires the facility I can't be certain this will be the case forever which is why I am building in the facility from scratch. Now I could use regexp to strip out unwanted characters, and indeed I do in cases like the prices if he enters £34.33 this gets stripped down to 34.33 before being put into the database. But as he will be entering the information himself I have to cater for every possible character he might deem worthy to type in. Apart from using slashes how would I store something like this: "A" grade product is covered by the manufacturer's guarantee.
cheers
Lee
Post Reply