Re: storing single and double quote in MySQL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(

Before, I used addslash() before I insert data in database and strislshe()
to show them on screen.

Later found it's not good and start using mysql_real_escae_string() to add
to DB and stripslashe() to show on screen.

But, also, I thought, mysql_real_escape_string() is "filter" for
everything, e.g. lets have three links (add, delete, edit) as
<a href=index.php?action=add&rec_id=$rec_id>Add new</a>
<a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
<a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
and was doing this way:
#index.php
<?php
if($_GET['action'])
{
	$action = mysql_real_escape_string($_GET['action']);
	$rec_id = mysql_real_escape_string($_GET['rec_id']);
	switch($action)
	{
		case 'add':
			// add new record
		break;

		case 'edit':
			// edit record
		break;

		case 'delete':
			// delete record
		break;
	}
}
?>

it means that $action I will never store in DB, neither show on screen. I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?

I', really confused.


>
>
> Richard Lynch wrote:
>
>>On Mon, May 22, 2006 11:37 am, Brad Bonkoski wrote:
>>
>>
>>>http://www.php.net/manual/en/function.stripslashes.php
>>>if you have to dump that information back to the users.
>>>
>>>
>>
>>If you are using http://php.net/stripslashes on data coming out of
>>your database, you are DEFINITELY doing something wrong acquiring that
>>data.
>>
>>Stripslashes is "correctly" used ONLY when:
>>1. You have Magic Quotes on, and
>>2. You need to display/use the incoming data for something other than
>>MySQL in the same script that does the INSERT
>>
>>
>>Even then, you really ought to turn off Magic Quotes and migrate to
>>http://php.net/mysql_real_escape_string
>>
>>
>>
> Thanks for your constructive criticism.... Sorry for the original bad
> advice.
>
> So, when the magic_quotes goes away in future version, with
> stripslashes() also go away?
>
> -Brad
>
>
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux