When to add slashes?

[Jaguar]

I'm confused on when I should add slashes to post and get data. I guess I don't understand compeltely how php works. Do I have to add slashes right away or do I only need to add slashes if I'm inserting into a database? Assuming magic quotes are off, is this ok?

 

if( $_POST['submit'] == "submit" )
{	
$name = $_POST['name'];
$pass = $_POST['pass'];

$pass = mysql_real_escape_string( $pass );
$name = mysql_real_escape_string( $name );

$result = mysql_query( "SELECT Name, Pass FROM Users WHERE Name = '$name' AND Pass = '$pass' LIMIT 1" );
}

 

Also what if I was just printing or using post/get data in PHP, not using a database. Is there any danger?

 

echo $_POST['name'];

$name = $_POST['name'];
$pass = $_POST['pass'];

$namepass = $name . ':' . $pass;

echo $namepass;

[Jessica]

You add slashes when you are querying a database.

If you are printing any user input out to the screen, you need to sanitize for possible JS/HTML/PHP.

[Jaguar]

I was worried that they could insert PHP code where I assign the variables.

 

$name = $_POST['name'];

 

Where a user writes there name as something like " ''; mysql_query( "DROP TABLE *" );" ending the assignment and starting there own code.

 

So I'd have to add slashes right away?

 

$name = addslashes($_POST['name']);

 

What if I'm not printing any user input? Would I still need to check for PHP? Say...

 

if( $_POST['message'] != "" )
echo "Thanks for posting";

[Jessica]

No, you wouldn't need to.