Jump to content

Recommended Posts

I m just trying values for my DB, I have noticed that addslashes does not work,

I just entered the text = " Is your name O'reilly?" as in php manual,

 

and the data in the db is :

"Is your name O'reilly?" without any slashes.

 

And my query is as follows;

 

$pnote= addslashes(nl2br($pnote));

mysql_query("INSERT INTO notes (note,rid,addeddate )

VALUES ( '$pnote','$rid','$mytime')  ") || die ( mysql_error() );

 

It also does not give me any error, what can cause this ?

 

 

Link to comment
https://forums.phpfreaks.com/topic/223492-addslashes-does-not-work/
Share on other sites

The \ escape characters themselves are NOT inserted into the database.

 

You should also be using mysql_real_escape_string() instead of addslashes() and you should be using nl2br() when you display the data, not when you insert it into your database.

If you are escaping the data correctly, only once, when inserting it, the \ characters are not in the actual data and you should not need to do anything when retrieving the data.

 

If you do have the \ characters in the actual data and you only escaped the data once yourself in your code or you get some \ characters added when you retrieve the data, see this link - http://www.php.net/manual/en/security.magicquotes.php

So I do not need to use stripslashes while printing the data also ?

Does it cause any problems ?

 

If you are on a server where magic_quotes is turned on the slashes are automatically added to user input. In those instances you should turn off magic_quotes if you have access to do so. If you don't have access to turn off magic_quotes, then you should use strip_slashes() on user input THEN run mysql_real_escape_string() before you insert int he database.

 

The rule I always try to follow is to store data in its native/raw format. Then modify the data based on how I need it. For example, by using nl2br() when you output to the screen you maintain the original line breaks. That way you can still use the native content stored int he database to populate a textarea for editing purposes.

I see now,

So I m gonna turn off the magic_quotes

and store the data like ;

 

mysql_real_escape_string(strip_tags(nl2br($text),"<br"))*

*not using addslashes then, order is correct I guess ?

 

and while retrieving ;

echo stripslashes($text) // just stripslashes is enough ?

 

hoping that I m not missing anything for security purposes ?

I see now,

So I m gonna turn off the magic_quotes

and store the data like ;

 

mysql_real_escape_string(strip_tags(nl2br($text),"<br"))*

*not using addslashes then, order is correct I guess ?

 

and while retrieving ;

echo $text // no need to do anything.

 

hoping that I m not missing anything for security purposes ?

 

Not quite. If you turn off magic_quotes there is no need to strip_tags on user input and you don't want to add BR tags to the data you are storing. You add the BR tags when displayng the information

 

Storing the data:

$dbSafeInput = mysql_real_escape_string($_POST['userInput']);

 

Displaying the input (if it may contain line breaks

echo nl2br($inputFromDB);

 

But, if you were displaying that same data in a textarea to be edited then you wouldn't use nl2br

<textarea><?php echo $inputFromDB; ?></textarea>

 

Not quite. If you turn off magic_quotes there is no need to strip_tags on user input and you don't want to add BR tags to the data you are storing. You add the BR tags when displayng the information

if I dont use strip_tags, how can I prevent users to send textareas or other html codes in postings,since I just want to allow br tags and not any other things

Not quite. If you turn off magic_quotes there is no need to strip_tags on user input and you don't want to add BR tags to the data you are storing. You add the BR tags when displayng the information

if I dont use strip_tags, how can I prevent users to send textareas or other html codes in postings,since I just want to allow br tags and not any other things

 

Sorry, I mistook that for strip_slashes, but my reply still holds true. Unless there is a business need to remove those tags - let the user submit them and store the data in the database exactly as the user submitted it (escaping for SQL Injection of course). Then modify the data when you display it.

 

In this instance I wouldn't use strip_tags(), instead I would use htmlentities() when I display the text to convert any HTML code so it is displayed on the page and not interpreted.. That way if a user inputs "<b>my name</b>", the output - as displayed on screen would be "<b>my name</b>" not "my name".

 

There may be a reason why someone would enter html code as a value and using strip_tags would remove that data.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.