DanDaBeginner Posted April 21, 2007 Share Posted April 21, 2007 is this true? I got this from other thread, since I don't want to interrupt to their discussion I decided to post it as another thread.. FROM: frost A very very common mistake. The rule of thumb is you should NEVER stripslashes on data coming out of a DB. That is why you do not want to double on the slashes. What happens is when the data is sent to the DB the original escaped slashes are removed, so the data in the DB should not have any escape characters when viewing which in return you should never have to stripslashes on data coming out of the database. I thought I was wrong with my code because no slashes saving with the data that I escape using mysql_real_escape_string.... thanx frost! Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/ Share on other sites More sharing options...
fert Posted April 21, 2007 Share Posted April 21, 2007 I'm not sure exactly what you're asking, but mysql_real_escape_string does pretty much the same thing as addslashes Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234582 Share on other sites More sharing options...
DanDaBeginner Posted April 21, 2007 Author Share Posted April 21, 2007 this statement -> What happens is when the data is sent to the DB the original escaped slashes are removed, so the data in the DB should not have any escape characters when viewing which in return you should never have to stripslashes on data coming out of the database. <- is this true? Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234586 Share on other sites More sharing options...
fert Posted April 21, 2007 Share Posted April 21, 2007 No, I always have to remove escape characters Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234591 Share on other sites More sharing options...
Barand Posted April 21, 2007 Share Posted April 21, 2007 If you have magic quotes ON (default setting on installation) then a slash is added for you before any quotes in the data so if input field contained "O'Shea" $_POST['input'] contains "O\'Shea" If you insert into the db the query looks like "INSERT INTO names (id, name) VALUES ('2', 'O\'Shea')" and the data written (correctly) will look like [pre] id | name | ----+----------------+ 1 | Barand | 2 | O'Shea | [/pre] If, while magic quotes is ON, you use addslashes() $_POST['input'] now contains "O\\'Shea" and the data written (incorrectly) will look like [pre] id | name | ----+----------------+ 1 | Barand | 2 | O\'Shea | [/pre] In which case you will need to strip them out, but you shouldn't have put it there in the first place. Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234604 Share on other sites More sharing options...
DanDaBeginner Posted April 21, 2007 Author Share Posted April 21, 2007 thanx guys.. barand im aware of that, what I want to know if I use mysql_real_escape_string and upon saving it to the dbase, will the dbase automatically remove the escape slashes before inserting it? and it seems that its correct according to your post...so no need for me to remove the slashes.... right? Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234608 Share on other sites More sharing options...
Barand Posted April 21, 2007 Share Posted April 21, 2007 Basically it's just a case of checking whether magic quotes has added them for you so you don't add them again with either addslashes() or mysql_real_escape_string(). So long as it's only done once then they aren't stored and thus they don't have to be removed Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234613 Share on other sites More sharing options...
Barand Posted April 21, 2007 Share Posted April 21, 2007 Here's an example <?php include 'db2.php'; /** * magic quotes are ON */ if (isset($_POST['name'])) { $name1 = $_POST['name']; $name2 = mysql_real_escape_string($_POST['name']); $sql = "INSERT INTO names (name1, name2) VALUES ('$name1', '$name2')"; echo "<pre>$sql</pre>"; mysql_query($sql) or die (mysql_error()."<p>$sql</p>"); } /** * list the data */ $sql = "SELECT * FROM names"; $res = mysql_query($sql) or die (mysql_error()."<p>$sql</p>"); while (list($id, $n1, $n2) = mysql_fetch_row($res)) { echo " $id, $n1, $n2 <br/>"; } ?> <form method='POST'> <input type="text" name="name" value="O'Shea"> <input type="submit" name="action" value="Save"> </form> After first rec is submitted, gives [pre] INSERT INTO names (name1, name2) VALUES ('O\'Shea', 'O\\\'Shea') 1, O'Shea, O\'Shea [/pre] Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234630 Share on other sites More sharing options...
DanDaBeginner Posted April 21, 2007 Author Share Posted April 21, 2007 thanx barand... I have this function... I thought theres something wrong because the data in the dbase don't have escape slashes until you guys clear it to me.. thanx again.. function secure_query($variable) { if(get_magic_quotes_gpc()) { $new_variable = stripslashes($variable); } else { $new_variable = $variable; } $new_variable2 = mysql_real_escape_string($new_variable); return $new_variable2; } Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234637 Share on other sites More sharing options...
Barand Posted April 21, 2007 Share Posted April 21, 2007 I suppose it could be argued that using stripslashes() on db data is safeguard in case some idiot careless programmer wrote them to the record in the first place :-\ Link to comment https://forums.phpfreaks.com/topic/48002-solved-is-this-true-mysql_real_escape_string/#findComment-234647 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.