Menu
Community /Pin to ProfileBookmark
@NogDogMay 31.2007 — #Since magic_quotes_gpc is essentially deprecated now and likely won't even be available in PHP 6, I always code so that I do not depend on it. As mysql_real_escape_string() is better suited than addslashes() for sanitizing data for use in MySQL queries, it should be used when inserting data into the database (assuming MySQL is the DBMS being used).
In either case, there should not be a need to use stripslashes() when retrieving data, unless you have been (mistakenly) adding slashes on top of "magic quotes" slashes when you did the insert/update to the database.
When inserting user-supplied values into a query, you can do something like the following for portability between systems regardless of the magic quotes setting:
Stripslashes & Magic Quotes
Quick question about these two terms. I have magic quotes on my server, so when INSERT data in database via a php form on the web is it best to:
– Add data to my db via a form without running stripslashes on each data field I enter
Or– Adding my data to my database with stripslashes and then running the stripslashes funtion when I want my data to be outputted on my website?
Just wondered which was percieved the best way?
Thanks
Sign in
to post a comment4 Comments(s) ↴
0
@NogDogMay 31.2007 — #Since magic_quotes_gpc is essentially deprecated now and likely won't even be available in PHP 6, I always code so that I do not depend on it. As mysql_real_escape_string() is better suited than addslashes() for sanitizing data for use in MySQL queries, it should be used when inserting data into the database (assuming MySQL is the DBMS being used).In either case, there should not be a need to use stripslashes() when retrieving data, unless you have been (mistakenly) adding slashes on top of "magic quotes" slashes when you did the insert/update to the database.
When inserting user-supplied values into a query, you can do something like the following for portability between systems regardless of the magic quotes setting:
[code=php]
function sanitize($value)
{
if(get_magic_quotes_gpc()) // get rid of magic_quotes escapes
{
$value = stripslashes($value);
}
if(!is_numeric($value)) // quote the value and escape special SQL char.'s
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return($value);
}
$sql = sprintf(
"SELECT * FROM table_name WHERE col_1 = %s AND col_2 = %s",
sanitize($_POST['field1']),
sanitize($_POST['field2'])
);
mysql_query($sql) or die("SQL error ($sql): " . mysql_error());
[/code]