Menu
Possible Duplicate:
Using stripslashes after mysql_real_escape_string
I have been reading most recently about prevention of SQL injection and I am trying to develop some sense of understanding between the different functions so that I can learn the basics.
I have read about mysql_real_escape_string and I understand that it is basically escaping characters which it deems "special" so that it is not confused for SQL syntax?
Now, assuming that is at least to some degree true - is there a need to use the stripslashes function combined with the mysql_real_escape_string? I'm wondering about what stripslashes is and what it is for.
405
The stripslashes() function removes backslashes added by the addslashes() function. Tip: This function can be used to clean up data retrieved from a database or from an HTML form.
The addslashes() function returns a string with backslashes in front of predefined characters. The predefined characters are: single quote (') double quote (") backslash (\)
A double-quoted string will output \' with either a single or double backslash used with the apostrophe. To output the \" sequence, you must use three backslashes. First \\ to render the backslash itself, and then \" to render the double quote. The sequence \' is rendered exactly as specified.
If you use stripslashes on input right after using mysql_real_escape_string, you will effectively undo it. There are probably other reasons to use stripslashes, but in my case I have only ever needed it to undo the horror that is magic quotes. It's actually the opposite of addslashes.
addslashes does not necessarily escape input the same as mysql_real_escape_string does, and they cannot be used for the same purpose.
Even better than mysql_*, you should read up on using prepared statements like in PDO. Then you don't even have to worry about mysql_* or stripslashes (except for magic quotes).
67
The function stripslashes() will unescape characters that are escaped with a backslash, \. It is commonly used on strings that are escaped via addslashes(), or if your PHP configuration has magic_quotes enabled.
When using SQL-escaping functions such as mysql_real_escape_string(), there is no need to use stripslashes() because the MySQL-adapter will only escape the values on insertion into the database - the slashes will not remain in the actual values. If you were to use stripslashes() on a variable that you already escaped with mysql_real_escape_string(), it will remove the slashes as if it were escaped using addslashes() - fairly pointless though.
If your goal is to prevent SQL-Injection, I would highly recommend looking into MySQLi or PDO opposed to the older mysql_ methods. Both MySQLi and PDO offer prepared-statements which, if used properly, will prevent SQL-Injection without the need to remember calling special escaping functions or worrying if your data will be modified from them.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
