add/stripslashes()
Moderator: General Moderators
add/stripslashes()
What is the purpose of using the add/stripslashes functions? I've seen some people use addslashes when entering info into a db, then stripping them when querying. Is there an advantage to doing this, as opposed to just putting raw data in the fields?
- sam
- Forum Contributor
- Posts: 217
- Joined: Thu Apr 18, 2002 11:11 pm
- Location: Northern California
- Contact:
Of course... If you are putting data that has a ' in in tito a database it will give you an sql error, IE:
Mysql will return an error about improper syntax, because the ' in sam's will result in mysql thinking that is the end of the data to find in username and then it will not know how to handle "s Stuff".
Cheers Moe
Code: Select all
$name = "Sam's stuff";
mysql_query("SELECT * FROM users WHERE username='$name'");
// not gonna happen
mysql_error();Cheers Moe
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
Also if you are calling data from a database to display on screen then you need to use the stripslashes() function.
For instance if you have the value O'Reilly stored in a database and use PHP to store it to a variable called $name, doing:
will output: O''Reilly
However,
will output: O'Reilly
Mac
For instance if you have the value O'Reilly stored in a database and use PHP to store it to a variable called $name, doing:
Code: Select all
echo $name;However,
Code: Select all
echo stripslashes($name);Mac
-
leenoble_uk
- Forum Contributor
- Posts: 108
- Joined: Fri May 03, 2002 10:33 am
- Location: Cheshire
- Contact:
add(add)stripslashes...
Something you should be aware of when updating and calling 'slashed' information from a MySQL database. I worked this out for myself today after a little hair tearing...
Let's say you have put on the text [Test "X"] into a form field. I'm using square brackets because quotes is gonna get confusing.
So $string = [Test "X"];
to put this in a database you have to slash it...
so $stringSLASHED = addslashes($string);
INSERT VALUES('$stringSLASHED') INTO databasename;
Now your database looks like this:
+------------+
| Data |
+------------+
| Test "X" |
+------------+
BUT!!! To get it out again you can't do a select where data=$stringSLASHED. You'll see why if we write it out in full.
SELECT * FROM databasename WHERE data="Test "X"";
mysql> Empty Set (0.16 sec)
Now why would that be?
Because the backslashes are special characters telling MySQL to look for the next character. Therefore to find a match you have to slash the slashes.
$stringDOUBLESLASH = addslashes($stringSLASHED);
SELECT * FROM databasename WHERE data="$stringDOUBLESLASH";
which translates as:
SELECT * FROM databasename WHERE data="Test \"X\"";
mysql> 1 row in set (0.2 sec)
+-----------+
| Data |
+-----------+
| Test "X"|
+-----------+
Confused yet?
Let's say you have put on the text [Test "X"] into a form field. I'm using square brackets because quotes is gonna get confusing.
So $string = [Test "X"];
to put this in a database you have to slash it...
so $stringSLASHED = addslashes($string);
INSERT VALUES('$stringSLASHED') INTO databasename;
Now your database looks like this:
+------------+
| Data |
+------------+
| Test "X" |
+------------+
BUT!!! To get it out again you can't do a select where data=$stringSLASHED. You'll see why if we write it out in full.
SELECT * FROM databasename WHERE data="Test "X"";
mysql> Empty Set (0.16 sec)
Now why would that be?
Because the backslashes are special characters telling MySQL to look for the next character. Therefore to find a match you have to slash the slashes.
$stringDOUBLESLASH = addslashes($stringSLASHED);
SELECT * FROM databasename WHERE data="$stringDOUBLESLASH";
which translates as:
SELECT * FROM databasename WHERE data="Test \"X\"";
mysql> 1 row in set (0.2 sec)
+-----------+
| Data |
+-----------+
| Test "X"|
+-----------+
Confused yet?
-
leenoble_uk
- Forum Contributor
- Posts: 108
- Joined: Fri May 03, 2002 10:33 am
- Location: Cheshire
- Contact:
Why?
I'm interested to know why you think no database should contain slashes.
I'm not flaming or anything, I'd just like you to suggest an alternative way of storing such information. I am using such a database for a client and although currently there is nothing in his stock list which requires the facility I can't be certain this will be the case forever which is why I am building in the facility from scratch. Now I could use regexp to strip out unwanted characters, and indeed I do in cases like the prices if he enters £34.33 this gets stripped down to 34.33 before being put into the database. But as he will be entering the information himself I have to cater for every possible character he might deem worthy to type in. Apart from using slashes how would I store something like this: "A" grade product is covered by the manufacturer's guarantee.
cheers
Lee
I'm not flaming or anything, I'd just like you to suggest an alternative way of storing such information. I am using such a database for a client and although currently there is nothing in his stock list which requires the facility I can't be certain this will be the case forever which is why I am building in the facility from scratch. Now I could use regexp to strip out unwanted characters, and indeed I do in cases like the prices if he enters £34.33 this gets stripped down to 34.33 before being put into the database. But as he will be entering the information himself I have to cater for every possible character he might deem worthy to type in. Apart from using slashes how would I store something like this: "A" grade product is covered by the manufacturer's guarantee.
cheers
Lee