On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote: > Hi. > > In an article about SQL Injection by Chris Shiflett he mentions the > following in a comment: "The process of escaping should preserve data, > so it should never be necessary to reverse it. When I'm auditing an > application, things like stripslashes() alert me to design problems." > > Now, I'm always using PHP PDO with prepared statements and as such data > with quotes gets slashed automatically by PDO when inserted into the > database. Just out of idle curiosity, are you using MySQL? PDO shouldn't be backslashing quotes for PostgreSQL, as the PostgreSQL convention for values containing single quotes is to double the quotes, as: ''. > > When I need to pull out the data something might be slashed and I need > to use stripslashes() or some str_replace() to make sure that the > slashes are removed. > > So what's the mistake here and what's the correct way to do it? I don't see a mistake. If the values come out of the database backslashed, then you need to remove them to work with the data. My only question would be whether you're sure the data is backslashed before PDO ever sees it. In which case, yes, you have a problem. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
