mysql_real_escape_string() VS stripslashes() VS htmlentities

[robert_gsfame]

I really confused with three of this function. Hope anyone can explain and give me some helps..

 

Let say i have this query

sprintf("INSERT INTO table(column1)VALUES('%s')",myql_real_escape_string($value));

 

And let say user put this as the value          "aaa", then it will come like this inside my database \"aaa\"

 

When retrieving the data i use stripslashes() to remove those slashes and i will have this

"aaa" correctly displayed...and i will use htmlentities(stripslashes($value)) to retrieve the data into my textbox

 

Is this correct and safe?? i really confused with all of this...

[ddgrim]

I have found that to stop MYSQL injection the following works quite nicely.

 

$Username = $_POST['Username'];
$Username = stripslashes($Username);
$Username = mysql_real_escape_string($Username);

 

 

[laffin]

Yes, thats how you would use to display it (whether in text box or on the page).

But if its actual html content, you want to avoid htmlentities, as that will convert charcters into an equivalent metacharacter;

i.e: & becomes &, < becomes < etc

 

so it really depends on the use of the field that dictates what functions to use.

 

 

[Mchl]

You need to use stripslashes when and only when gpc_magic_quotes is on. Other than that run mysql_real_escape_string when inserting into database, and no further processing is required when retrieving data (apart from htmlentities that is).

 

if(get_magic_quotes_gpc()) {
  $variable =  stripslashes($_POST['variable']);
}
$variable = mysql_real_escape_string($variable);
$sql = "... $variable ...";