SitePoint Sponsor

User Tag List

Results 1 to 9 of 9

Hybrid View

  1. #1
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Quick Question about addslashes()

    I am using a template system and I have been pondering what the addslashes() function can do for me and if/when I should use it when inserting stuff into the database.

    Any help would be much appreciated

  2. #2
    SitePoint Zealot Paul_M's Avatar
    Join Date
    Mar 2001
    Location
    London
    Posts
    160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HI

    the addslashes function just "adds slashes" in front of special charcters and punctuation characters.

    It is used so that the data you store in the database does not ruin your database/table layout.

    You should use it if you are putting user inputted data into the database...

    Also consider using htmlspecialchars() to filter out html code from being inputted.

    Also if you do use addslashes() .... when you retreive your data from the database you could use stripslashes() to remove those added slashes


    Hope this helped

  3. #3
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know what it does, but I just dont know how I should be using it properly.

    Maybe I should stripslashes to clean it up before going in the database and when its being output, use htmlspecialchars and addslashes. The thing is, I still get puzzled when its not exactly needed for an echo.
    Last edited by Theiggsta; May 30, 2001 at 07:02.

  4. #4
    SitePoint Guru
    Join Date
    Jan 2001
    Location
    Alkmaar, Netherlands
    Posts
    710
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    before inserting into database use AddSlashes
    $myfield= AddSlashes($myfield);
    insert $myfield into a table in my database

    then after you retrieve data from your database
    $myfield= StripSlashes($myfield);
    $HTMLfriendly= htmlspecialchars($myfield);

  5. #5
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you sure you have to stripslashes when retrieving the data from the database?

    For example, when inserting a quote ' addslashes converts that to \' and inserts into the mySQL database, which inteprets both those characters as a single quote. So, I think there is no need to stripslashes...

    Arpith

  6. #6
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    when is the slashes needed?

    what commands use it?

    Note: I also checked into gpc_magic_quotes() but I dont know what this function does at all and the php.net manual isint very descriptive.
    Last edited by Theiggsta; May 30, 2001 at 18:33.

  7. #7
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Theiggsta,

    Take a look at this SQL Query:

    SELECT * from article WHERE body LIKE '%$search_term%' ORDER BY article_id

    Where, $search_term is entered by the user through a form. If $search_term is something simple like Banner Management, the SQL Query becomes:

    SELECT * from article WHERE body LIKE '%Banner Management%' ORDER BY article_id

    and everything would work fine.


    But, just incase $search_term is something like Matt's Script Archive the SQL Query would become:

    SELECT * from article WHERE body LIKE '%Matt's Script Archive%' ORDER BY article_id

    Notice 3 single quotes in that query! It would produce an error parsing the query.

    Instead, if you use the builtin PHP function addslashes:

    $SQL = "SELECT * from article WHERE body LIKE '%" . addslashes($search_term) . "%' ORDER BY article_id"

    the single quote (and other special chars in $search_term) gets escaped, and the SQL query becomes:

    $SQL = "SELECT * from article WHERE body LIKE '%Matt\'s Script Archive%' ORDER BY article_id"

    and everything works as expected.

    the \' tells the SQL parser to intepret it as a single quote, to be stored in the database.

    NOTE: PHP can be configured to automatically add these slashes to all FORM (GET/POST) and cookie INPUT from the user (thats what gpc_magic_quotes() is for). So, this would eliminate the need of using addslashes. However, I prefer to explicitly addslashes() and turn off auto slashing.

    The stripslashes is used to remove slashes. This is normally only used if you want to remove slashes from user INPUT that were added automatically by PHP (gpc_magic_quotes() function).

    Regards,

  8. #8
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a bunch, I think I have a good grasp of the concept of it now.

  9. #9
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have another question...

    is there ANY way to shove text into a database without slashes, but add slashes to the database query that inserts the database??

    im curious because vBulletin mysterious does this...
    Aaron "Theiggsta" Kalin
    Pixel Martini
    Ruby and Rails Developer


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •