Quick Question about addslashes()

[Theiggsta]

I am using a template system and I have been pondering what the addslashes() function can do for me and if/when I should use it when inserting stuff into the database.

Any help would be much appreciated

[Paul_M]

HI

the addslashes function just "adds slashes" in front of special charcters and punctuation characters.

It is used so that the data you store in the database does not ruin your database/table layout.

You should use it if you are putting user inputted data into the database...

Also consider using htmlspecialchars() to filter out html code from being inputted.

Also if you do use addslashes() .... when you retreive your data from the database you could use stripslashes() to remove those added slashes


Hope this helped

[Theiggsta]

I know what it does, but I just dont know how I should be using it properly.

Maybe I should stripslashes to clean it up before going in the database and when its being output, use htmlspecialchars and addslashes. The thing is, I still get puzzled when its not exactly needed for an echo.

[sylow]

before inserting into database use AddSlashes
$myfield= AddSlashes($myfield);
insert $myfield into a table in my database

then after you retrieve data from your database
$myfield= StripSlashes($myfield);
$HTMLfriendly= htmlspecialchars($myfield);

[arpith]

Are you sure you have to stripslashes when retrieving the data from the database?

For example, when inserting a quote ' addslashes converts that to \' and inserts into the mySQL database, which inteprets both those characters as a single quote. So, I think there is no need to stripslashes...

Arpith

[Theiggsta]

when is the slashes needed?

what commands use it?

Note: I also checked into gpc_magic_quotes() but I dont know what this function does at all and the php.net manual isint very descriptive.

[arpith]

Theiggsta,

Take a look at this SQL Query:

SELECT * from article WHERE body LIKE '%$search_term%' ORDER BY article_id

Where, $search_term is entered by the user through a form. If $search_term is something simple like Banner Management, the SQL Query becomes:

SELECT * from article WHERE body LIKE '%Banner Management%' ORDER BY article_id

and everything would work fine.


But, just incase $search_term is something like Matt's Script Archive the SQL Query would become:

SELECT * from article WHERE body LIKE '%Matt's Script Archive%' ORDER BY article_id

Notice 3 single quotes in that query! It would produce an error parsing the query.

Instead, if you use the builtin PHP function addslashes:

$SQL = "SELECT * from article WHERE body LIKE '%" . addslashes($search_term) . "%' ORDER BY article_id"

the single quote (and other special chars in $search_term) gets escaped, and the SQL query becomes:

$SQL = "SELECT * from article WHERE body LIKE '%Matt\'s Script Archive%' ORDER BY article_id"

and everything works as expected.

the \' tells the SQL parser to intepret it as a single quote, to be stored in the database.

NOTE: PHP can be configured to automatically add these slashes to all FORM (GET/POST) and cookie INPUT from the user (thats what gpc_magic_quotes() is for). So, this would eliminate the need of using addslashes. However, I prefer to explicitly addslashes() and turn off auto slashing.

The stripslashes is used to remove slashes. This is normally only used if you want to remove slashes from user INPUT that were added automatically by PHP (gpc_magic_quotes() function).

Regards,

[Theiggsta]

Thanks a bunch, I think I have a good grasp of the concept of it now.

[Theiggsta]

I have another question...

is there ANY way to shove text into a database without slashes, but add slashes to the database query that inserts the database??

im curious because vBulletin mysterious does this...