can i use addslashes towrite
Moderator: General Moderators
- pelegk2
- Forum Regular
- Posts: 633
- Joined: Thu Nov 27, 2003 5:02 am
- Location: Israel - the best place to live in after heaven
- Contact:
can i use addslashes towrite
string's with (') for example to a data base using addslashes ?
so it will have
bal''bla
so it will have
bal''bla
- llanitedave
- Forum Commoner
- Posts: 78
- Joined: Thu Jan 15, 2004 11:24 am
- Location: Las Vegas, NV.
- llanitedave
- Forum Commoner
- Posts: 78
- Joined: Thu Jan 15, 2004 11:24 am
- Location: Las Vegas, NV.
-
ilovetoast
- Forum Contributor
- Posts: 142
- Joined: Thu Jan 15, 2004 7:34 pm
Alright, here's my explanation.
PHP has two directives, magic_quotes_runtime and magic_quotes_gpc, which affect the use of escaping backslashes in certain operations. The magic_quotes_gpc directive covers GPC operations (Get/Post/Cookie). The magic_quotes_runtime directive covers most functions that return values from databases or external files.
In olden times, these two directives were seen as a good thing, something to ease the work of the programmer. However, the wise have rightly come to the conclusion that magic quotes are not as good a thing as was once thought. Most new servers are now set with these directives set to FALSE, but many servers remain with the directives set to TRUE. Considering further that some developers code with the directives FALSE and some code with the directives TRUE, the situation can get even more complicated.
Basically, magic quotes are considered bad because they cause an uncontrollable modification to the data contained in a variable before your script has access to that data. This can cause a host of problems that include problems with matching SELECT queries and properly displaying information in the browser.
As an aside, on every machine you have control over from this day forwawrd, you should turn off both directives - permanently.
Consider this data as a string:
John's cat is dead.
In order to store this data into a database sucha s MySQL, the single quote (apostrophe) needs to be escaped with a backslash giving:
John''s cat is dead.
Both addslashes() and the magic_quotes_runtime directive can cause this. If the directive is true, the backslash is added automatically. If the directive is false, then addslashes must be used. Either one or the other must be used to store the data properly, but remember the backslash is not actually stored in the the db.
Problems occur when a coder writes in a magic_quotes_runtime=FALSE environ, and so uses addslashes() to give:
John''s cat is dead.
But then the coder deploys onto a magic_quotes_runtime=TRUE server causing the data to become:
John\\''s cat is dead.
Which when stored in the database is stored as
John''s cat is dead.
This could turn out OK if stripslashes() were used after retrieval. However, since the coder developed in a magic_quotes_runtime=FALSE environ there was no need for stripslashes(). So after retrieval the data is floating around in a script variable as:
John''s cat is dead.
As you can see, this turns into a big mess. All because of magic quotes and bad deployment practices.
The solution is two part. First and foremost is know thy runtime environment directives. If you can control them or at least specify them, then you can always turn off magic quotes.
The second part is just as important. You need to incorporate into your code a conditional that accounts for magic quotes. If there is ever a possibility to deploy onto a machine where magic quotes might be on (say if someone else uses your code) you have an obligation to help them out. That is where the use of addslashes() is conditioned on magic quotes being off.
For your use, if the magic quotes directives are correctly turned off in both your development and deployment environs then there is never any need to use stripslashes in this regard. Hence the golden rule of "Never stripslashes!"
peace
PHP has two directives, magic_quotes_runtime and magic_quotes_gpc, which affect the use of escaping backslashes in certain operations. The magic_quotes_gpc directive covers GPC operations (Get/Post/Cookie). The magic_quotes_runtime directive covers most functions that return values from databases or external files.
In olden times, these two directives were seen as a good thing, something to ease the work of the programmer. However, the wise have rightly come to the conclusion that magic quotes are not as good a thing as was once thought. Most new servers are now set with these directives set to FALSE, but many servers remain with the directives set to TRUE. Considering further that some developers code with the directives FALSE and some code with the directives TRUE, the situation can get even more complicated.
Basically, magic quotes are considered bad because they cause an uncontrollable modification to the data contained in a variable before your script has access to that data. This can cause a host of problems that include problems with matching SELECT queries and properly displaying information in the browser.
As an aside, on every machine you have control over from this day forwawrd, you should turn off both directives - permanently.
Consider this data as a string:
John's cat is dead.
In order to store this data into a database sucha s MySQL, the single quote (apostrophe) needs to be escaped with a backslash giving:
John''s cat is dead.
Both addslashes() and the magic_quotes_runtime directive can cause this. If the directive is true, the backslash is added automatically. If the directive is false, then addslashes must be used. Either one or the other must be used to store the data properly, but remember the backslash is not actually stored in the the db.
Problems occur when a coder writes in a magic_quotes_runtime=FALSE environ, and so uses addslashes() to give:
John''s cat is dead.
But then the coder deploys onto a magic_quotes_runtime=TRUE server causing the data to become:
John\\''s cat is dead.
Which when stored in the database is stored as
John''s cat is dead.
This could turn out OK if stripslashes() were used after retrieval. However, since the coder developed in a magic_quotes_runtime=FALSE environ there was no need for stripslashes(). So after retrieval the data is floating around in a script variable as:
John''s cat is dead.
As you can see, this turns into a big mess. All because of magic quotes and bad deployment practices.
The solution is two part. First and foremost is know thy runtime environment directives. If you can control them or at least specify them, then you can always turn off magic quotes.
The second part is just as important. You need to incorporate into your code a conditional that accounts for magic quotes. If there is ever a possibility to deploy onto a machine where magic quotes might be on (say if someone else uses your code) you have an obligation to help them out. That is where the use of addslashes() is conditioned on magic quotes being off.
For your use, if the magic quotes directives are correctly turned off in both your development and deployment environs then there is never any need to use stripslashes in this regard. Hence the golden rule of "Never stripslashes!"
peace
- llanitedave
- Forum Commoner
- Posts: 78
- Joined: Thu Jan 15, 2004 11:24 am
- Location: Las Vegas, NV.
OK, one last time since I'm old and slow and need these things really drilled into me:
If I have a string $statement that reads:
If I was to put that field into another, say
I would have to addslashes() again for the transfer?
And if I were just going to display it on the page (assuming magic quotes are off) I would NOT use stripslashes()?
If I have a string $statement that reads:
And I was to save that in the field 'statement1' of table 'table1', I'd first call $statement1 = addslashes(trim($statement1)).Dave's "big bonus" was 25%!!
If I was to put that field into another, say
Code: Select all
$sql = "UPDATE table2 SET table2.statement2 = table1.statement1";And if I were just going to display it on the page (assuming magic quotes are off) I would NOT use stripslashes()?
And also the site Mcgruff suggested you had this functionThe solution is two part. First and foremost is know thy runtime environment directives. If you can control them or at least specify them, then you can always turn off magic quotes.
The second part is just as important. You need to incorporate into your code a conditional that accounts for magic quotes. If there is ever a possibility to deploy onto a machine where magic quotes might be on (say if someone else uses your code) you have an obligation to help them out. That is where the use of addslashes() is conditioned on magic quotes being off.
Code: Select all
<?php
function myAddSlashes( $string ) {
if (get_magic_quotes_gpc()==1) {
return ( $string );
} else {
return ( addslashes ( $string ) );
}
}
?>