SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2011
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Addslashes vs Stripslashes vs mysql_real_string_escape

    I know that there is the use of addslashes() stripslashes() and mysql_real_string_escape but where is the most appropriate to use them?
    I have heard real_string_escape is better for security.
    Which is best for which scenario uploaded data and downloaded data

    Best for assigning variables for uploading to a database:
    $var1 = mysql_real_string_escape($_POST['name1'];
    $var1 = addslashes($_POST['name1'];
    $var1 = stripslashes($_POST['name1'];


    Best for assigning variables after downloading from database
    $var1 = mysql_real_string_escape($row['name1'];
    $var1 = addslashes($row['name1'];
    $var1 = stripslashes($row['name1'];

  2. #2
    SitePoint Member
    Join Date
    Nov 2011
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi.

    First, mysql_real_string_escape() is only for MySQL and is only available when there is a connection to a database! mysql_real_string_escape() and addslashes() do the same as much as I know, but as the first is developed with MySQL it self it is more likely to be better treating MySQL queries. In older releases of PHP, addslashes() had some bugs that I don't think exist now.

    But stripslashes() is the opposite! It strips the back slashes instead of adding them.

    So use addslashes() when doing anything not related to a certain DB management system, and use the appropriate function when treating a certain DBMS (as mysql_real_string_escape() for MySQL or pg_escape_string() for PostgreSQL).

    Thanks.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •