Page 1 of 1
add/stripslashes()
Posted: Fri Apr 26, 2002 5:26 pm
by timmy
What is the purpose of using the add/stripslashes functions? I've seen some people use addslashes when entering info into a db, then stripping them when querying. Is there an advantage to doing this, as opposed to just putting raw data in the fields?
Posted: Fri Apr 26, 2002 7:14 pm
by sam
Of course... If you are putting data that has a ' in in tito a database it will give you an sql error, IE:
Code: Select all
$name = "Sam's stuff";
mysql_query("SELECT * FROM users WHERE username='$name'");
// not gonna happen
mysql_error();
Mysql will return an error about improper syntax, because the ' in sam's will result in mysql thinking that is the end of the data to find in username and then it will not know how to handle "s Stuff".
Cheers Moe
Posted: Fri Apr 26, 2002 7:38 pm
by timmy
Thanks alot!
Posted: Sat Apr 27, 2002 10:15 am
by twigletmac
Also if you are calling data from a database to display on screen then you need to use the stripslashes() function.
For instance if you have the value O'Reilly stored in a database and use PHP to store it to a variable called $name, doing:
will output: O''Reilly
However,
will output: O'Reilly
Mac
add(add)stripslashes...
Posted: Fri May 03, 2002 10:33 am
by leenoble_uk
Something you should be aware of when updating and calling 'slashed' information from a MySQL database. I worked this out for myself today after a little hair tearing...
Let's say you have put on the text [Test "X"] into a form field. I'm using square brackets because quotes is gonna get confusing.
So $string = [Test "X"];
to put this in a database you have to slash it...
so $stringSLASHED = addslashes($string);
INSERT VALUES('$stringSLASHED') INTO databasename;
Now your database looks like this:
+------------+
| Data |
+------------+
| Test "X" |
+------------+
BUT!!! To get it out again you can't do a select where data=$stringSLASHED. You'll see why if we write it out in full.
SELECT * FROM databasename WHERE data="Test "X"";
mysql> Empty Set (0.16 sec)
Now why would that be?
Because the backslashes are special characters telling MySQL to look for the next character. Therefore to find a match you have to slash the slashes.
$stringDOUBLESLASH = addslashes($stringSLASHED);
SELECT * FROM databasename WHERE data="$stringDOUBLESLASH";
which translates as:
SELECT * FROM databasename WHERE data="Test \"X\"";
mysql> 1 row in set (0.2 sec)
+-----------+
| Data |
+-----------+
| Test "X"|
+-----------+
Confused yet?
Posted: Fri May 03, 2002 11:46 am
by sam
There is really no need to worry about that though, if you have to addslashes to an index column you should think about redesgnin your database.
Cheers Moe

Why?
Posted: Fri May 03, 2002 1:05 pm
by leenoble_uk
I'm interested to know why you think no database should contain slashes.
I'm not flaming or anything, I'd just like you to suggest an alternative way of storing such information. I am using such a database for a client and although currently there is nothing in his stock list which requires the facility I can't be certain this will be the case forever which is why I am building in the facility from scratch. Now I could use regexp to strip out unwanted characters, and indeed I do in cases like the prices if he enters £34.33 this gets stripped down to 34.33 before being put into the database. But as he will be entering the information himself I have to cater for every possible character he might deem worthy to type in. Apart from using slashes how would I store something like this: "A" grade product is covered by the manufacturer's guarantee.
cheers
Lee