dalva
asked on
Clarify use of addslashes, stripslashes & mysql_real_escape_string
I am a newbie to PHP with MySQL. In the process of creating a website I
am learning about using addslashes, stripslashes, strip_tags and
mysql_real_escape_string to keep the user input data clean
I have researched this site and the Internet to understand better when to use these functions.
This is my summary and I would like to know if I understand it correctly.
Assuming magic_quotes_gpc is turned off.
1) Any user input I accept which will be used in a query, should be run through strip_tags then mysql_real_escape_string.
2) Any string data which will be written to a table should be run through addslashes in case it has quotes, backslashes or nulls.
3) Any string data read from a table should be run through stripslashes in case addslashes previously added slashes.
Do I understand it correctly?
Additional comments and suggestions appreciated
am learning about using addslashes, stripslashes, strip_tags and
mysql_real_escape_string to keep the user input data clean
I have researched this site and the Internet to understand better when to use these functions.
This is my summary and I would like to know if I understand it correctly.
Assuming magic_quotes_gpc is turned off.
1) Any user input I accept which will be used in a query, should be run through strip_tags then mysql_real_escape_string.
2) Any string data which will be written to a table should be run through addslashes in case it has quotes, backslashes or nulls.
3) Any string data read from a table should be run through stripslashes in case addslashes previously added slashes.
Do I understand it correctly?
Additional comments and suggestions appreciated
Last Comment
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Just to clarify, all my references to tables is meant to refer to mysql tables not html tables ie writing or reading data from mysql database table.
Sounds like I do not need to use addslashes if I use mysql_real_escape_strings.
Sounds like I do not need to use addslashes if I use mysql_real_escape_strings.
Roger that!
>> Sounds like I do not need to use addslashes if I use mysql_real_escape_strings.
Yes.
Yes.
ASKER
Getting ready to wrap this question up later today but thought I would add more meat to the soup with this link I just came across. Most of it is above my head but appears to make some good points.
http://cognifty.com/index.php/blog.entry/id=6/addslashes_dont_call_it_a_comeback.html
http://cognifty.com/index.php/blog.entry/id=6/addslashes_dont_call_it_a_comeback.html
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I have split the points between the two main contributors which gave me a better understanding of the subject.
PHP
PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.
125K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
http://uk2.php.net/mysql_real_escape_string
http://uk2.php.net/addslashes
mysql_real_escape_string is probably the more prefered method of escaping characters as it takes into consideration the character set in use.