Secure MySQL queries

[Welling]

Now, I'm ussing this function to escape the variables I use in MySQL queries:

function escape($texto) {
$texto = trim($texto) ;
$texto = htmlspecialchars($texto) ;
return $texto ;
}

And It seems it works well (If it isn't secure, say me, please!).

The problem is when I want to insert HTML code in the DB, I have tried with mysql_real_escape_string() but " and ' are \" and \' when I show the html later and I must do something like:

$html = str_replace("\\'", "'", $html);
$html = str_replace("\\\"", "\"", $html);

But I think this shouldn't be the best way to do it. What do you think? any other way to do it?

[RussellReal]

inserting into a database.. you should always make sure to use mysql_real_escape_string.. ' and " are used by malicious users for an attack known as SQL Injection..

 

to remove the slashes later..

 

stripslashes() will do the trick

[Welling]

I have tried to do stripslashes() before mysql_real_escape_string() and now, I don't need stripslashes() later to show the result because the \ aren't in the DB.

Is this because magick quotes are on and without magick quotes people don't need to use stripslashes() never?

[DeanWhitehouse]

Use addslashes(); and mysql_real_escape_string();

and then when you recall the data use stripslashes(); to remove the slashes

[Welling]

Ehh.. I think you haven't understood it, maybe if I use addslashes(); and mysql_real_escape_string(); and magick quotes on I will get \\\\\\\' adn  \\\\\\\".

My question was if doing stripslashes() before mysql_real_escape_string() was secure...

[DeanWhitehouse]

It is but why would you want to remove the slashes first :s

You can always disable magic quotes

[redarrow]

.htaccess file, add a line

 

php_flag magic_quotes_gpc off

[Welling]

Yes, but If I don't disable magic quotes I must do the stripslashes()

 

Then without magic quotes, stripslashes() isn't needed neither before and after insert in the DB?