OldWest Posted November 5, 2010 Share Posted November 5, 2010 I am simply trying to use stripslashes for my mysqli insert statement, and errors are driving me nuts.. I've tried several variation and pattern with apostrophes and quotes to no avail. Should I even be using stripslashes to clean my data? Or is there a better function? Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\php\simple_classifieds\add_posting.php on line 57 $query = "INSERT INTO Postings (id, city_id, title, description) VALUES ('','$_POST[city]','" . stripslashes($_POST[title]) . "','$_POST[description]')" or mysqli_error(); Quote Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/ Share on other sites More sharing options...
OldWest Posted November 5, 2010 Author Share Posted November 5, 2010 Oh damn! I meant addslashes!! And I have it working now.. Quote Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130540 Share on other sites More sharing options...
OldWest Posted November 5, 2010 Author Share Posted November 5, 2010 For reference, here is the working code: $query = "INSERT INTO Postings (id, city_id, title, description) VALUES ('','$_POST[city]', '" . addslashes($_POST['title']) . "' ,'" . addslashes($_POST['description']) . "')" or mysqli_error(); Quote Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130542 Share on other sites More sharing options...
PFMaBiSmAd Posted November 5, 2010 Share Posted November 5, 2010 Please don't use addslashes() to escape data being put into a query. It is possible to use character encoded data that will allow quotes to be injected into a query that will pass right through addslashes(). This is why magic_quotes_gpc (which simply uses addslashes() internally) is being removed from php and why the the mysql(i)_real_escape_string() function exists (it takes into account character encoding when escaping data.) See this link for a demonstration of how addslashes() can be bypassed - http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string Edit: And in fact there is a link in that information to an article that demonstrates under what conditions mysql_real_escape_string() can be bypassed. This mysql_real_escape_string bypass was apparent corrected in php 5.2.3 - Since PHP 5.2.3, it is possible to use mysql_set_charset() which is respected by mysql_real_escape_string(). Quote Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130558 Share on other sites More sharing options...
OldWest Posted November 5, 2010 Author Share Posted November 5, 2010 PFMaBiSmAd, thanks for the critique. i think i read about that deprecation somewhere on that addslashes().. the interesting thing is my form could not submit if i had any apostrophes, quotes, etc in my fields .. and by adding addslashes(), my submission would pass w/out errors.. but i guess thats even more dangerous off the top! Quote Link to comment https://forums.phpfreaks.com/topic/217811-addslashes-function-cannot-implement-in-my-mysql-insert-why/#findComment-1130561 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.