addslashes stripslashes magic quotes and mysql_real_escape_string

[goatdog]

ok i'm a little confused with all this here, i've just been reading about sql injections and how to use mysql_real_escape_string

in some examples i've seen checking if magic quotes is active or not magic_quotes_gpc() and using stripslashes.

 

In my experience here's what i have been doing. Magic quotes is off, so on anything with text i would do

 

$name = "it's a beautiful day";

$namex = addslashes($name);

 

because you would get a mysql insert error due to the single quote

then when i ran a query i would do

 

$namex = stripslashes($name);

 

in the examples i've seen with mysql_real_escape_string it uses stripslashes before the insert

 

so what's the proper way to do this?

 

let me know if you need more of an explanation

 

 

[discomatt]

Here's a function I use

 

function sanitize ( $input ) {

# Parse array
if ( is_array($input) ) {
	foreach ($input as $key => $var)
		$input[$key] = $this->sanitize( $var );

# Parse string
} else {
	# Check if already escaped
	if (get_magic_quotes_gpc())
		# Remove useless escapes
		$input = stripslashes($input);
	# Use proper escape
	$input = mysql_real_escape_string($input) .
}

# Return sanitized string
return $input;

}

[goatdog]

so if i were inserting multiple variable into a row, would i use it like this?

 

$name=sanitize($name)
$info=sanitize($info)
$description=sanitize($description)

insert into users values('',$name,$info,$description);

[discomatt]

Missing a few semicolons, but yes

[goatdog]

thanks, i'm gonna try that out and see if i had any of the addslashes issues that i had before, i'll be sure to report back