Jump to content

[SOLVED] addslashes()


Recommended Posts

Adding to the above post, addslashes() is used to escape special characters in any string which is going to be used in a database query. Escaping means adding slashes to those special characters, like quotes, double quotes, backslashes etc. To remove those slashes in a value taken from a database, u use stripslashes(). Actually using mysql_real_escape_string() is advised.

Link to comment
https://forums.phpfreaks.com/topic/104103-solved-addslashes/#findComment-533104
Share on other sites

Ok, so to be clear, the following is how i should do things from now on:

 

$what_will_be_inserted = addslashes($_POST['asdf']);

 

Then i can insert. And then to get it out again:

 

$query = mysql(whatever);

$what_will_be_gotten = mysql_real_escape_string($query);

 

 

And this makes things safer?

 

 

Link to comment
https://forums.phpfreaks.com/topic/104103-solved-addslashes/#findComment-533956
Share on other sites

Consider this query:

 

$query = "SELECT * FROM users WHERE username = ''. $_POST['username'] .''";

 

The user could send "' OR '1'='1" as their username, which would make the query:

 

$query = "SELECT * FROM users WHERE username = '' OR '1'='1' ";

 

Which would always come back as true (not false) if queried. The user could of course do something even more malicious :o. What mysql_real_escape_string does is add slashes before the quotes, so they are taken literally, not as parts of the query.

 

$query = "SELECT * FROM users WHERE username = '\' OR \'1\'=\'1\''";

 

In this query where the input is escaped the username would have to be "' OR '1'='1" in order for the query to come back as true (not false).

Link to comment
https://forums.phpfreaks.com/topic/104103-solved-addslashes/#findComment-533962
Share on other sites

Heres a bit of a more specific question. Why doesn't this work?

 

$sql_recentnews = stripslashes(mysql_query("SELECT * FROM news ORDER BY timestamp DESC LIMIT 0 , " . $rpp));
while($topic=mysql_fetch_array($sql_recentnews)){
echo "<li class='recent_news_li'><span class='recent_news_topic'><a href='news.php?page=viewtopic&id=" . $topic['id'] . "'>" . $topic['title'] . "</a></span>";
}

 

I get this error:

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/asdfdsa/public_html/testing123/index.php on line 69

Link to comment
https://forums.phpfreaks.com/topic/104103-solved-addslashes/#findComment-533991
Share on other sites

You need to use stripslashes on the actual output, not the query....

 

$sql_recentnews = mysql_query("SELECT * FROM news ORDER BY timestamp DESC LIMIT 0 , " . $rpp);

while($topic=mysql_fetch_array($sql_recentnews)){

echo "<li class='recent_news_li'><span class='recent_news_topic'><a href='news.php?page=viewtopic&id=" . $topic['id'] . "'>" . stripslashes($topic['title']) . "</a></span>";

}

 

Look at what I did.

Link to comment
https://forums.phpfreaks.com/topic/104103-solved-addslashes/#findComment-533997
Share on other sites

Ok, so i should hold off in slashing and unslashing the id's. Got it. And now that i think about it, the id adds itself, so i couldn't slash it even if i wanted too. No point in unslashing it.

 

By the way, i got everything working with the slashes now. Thanks.

Link to comment
https://forums.phpfreaks.com/topic/104103-solved-addslashes/#findComment-534011
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.