OldWest Posted November 5, 2010 Share Posted November 5, 2010 I am simply trying to use stripslashes for my mysqli insert statement, and errors are driving me nuts.. I've tried several variation and pattern with apostrophes and quotes to no avail. Should I even be using stripslashes to clean my data? Or is there a better function? Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\php\simple_classifieds\add_posting.php on line 57 $query = "INSERT INTO Postings (id, city_id, title, description) VALUES ('','$_POST[city]','" . stripslashes($_POST[title]) . "','$_POST[description]')" or mysqli_error(); Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/ Share on other sites More sharing options...
OldWest Posted November 5, 2010 Author Share Posted November 5, 2010 Oh damn! I meant addslashes!! And I have it working now.. Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130540 Share on other sites More sharing options...
OldWest Posted November 5, 2010 Author Share Posted November 5, 2010 For reference, here is the working code: $query = "INSERT INTO Postings (id, city_id, title, description) VALUES ('','$_POST[city]', '" . addslashes($_POST['title']) . "' ,'" . addslashes($_POST['description']) . "')" or mysqli_error(); Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130542 Share on other sites More sharing options...
PFMaBiSmAd Posted November 5, 2010 Share Posted November 5, 2010 Please don't use addslashes() to escape data being put into a query. It is possible to use character encoded data that will allow quotes to be injected into a query that will pass right through addslashes(). This is why magic_quotes_gpc (which simply uses addslashes() internally) is being removed from php and why the the mysql(i)_real_escape_string() function exists (it takes into account character encoding when escaping data.) See this link for a demonstration of how addslashes() can be bypassed - http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string Edit: And in fact there is a link in that information to an article that demonstrates under what conditions mysql_real_escape_string() can be bypassed. This mysql_real_escape_string bypass was apparent corrected in php 5.2.3 - Since PHP 5.2.3, it is possible to use mysql_set_charset() which is respected by mysql_real_escape_string(). Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130558 Share on other sites More sharing options...
OldWest Posted November 5, 2010 Author Share Posted November 5, 2010 PFMaBiSmAd, thanks for the critique. i think i read about that deprecation somewhere on that addslashes().. the interesting thing is my form could not submit if i had any apostrophes, quotes, etc in my fields .. and by adding addslashes(), my submission would pass w/out errors.. but i guess thats even more dangerous off the top! Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130561 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.