Hello, The plug-in PDO has nothing to do with the backslashes being inserted into the database. The backslashes are used to escape characters like in D's...it would show D'////////////s. That's the safe behavior of it. You can change your programming code to fix that. Ravi. On Tue, Dec 21, 2010 at 12:59 AM, Rico Secada <coolzone@xxxxx> wrote: > On Tue, 21 Dec 2010 00:32:19 -0500 > Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote: > > > On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote: > > > > > Hi. > > > > > > In an article about SQL Injection by Chris Shiflett he mentions the > > > following in a comment: "The process of escaping should preserve > > > data, so it should never be necessary to reverse it. When I'm > > > auditing an application, things like stripslashes() alert me to > > > design problems." > > > > > > Now, I'm always using PHP PDO with prepared statements and as such > > > data with quotes gets slashed automatically by PDO when inserted > > > into the database. > > > > Just out of idle curiosity, are you using MySQL? PDO shouldn't be > > backslashing quotes for PostgreSQL, as the PostgreSQL convention for > > values containing single quotes is to double the quotes, as: ''. > > Currently I'm working with MySQL, but I have just tested PDO with > PostgreSQL 8.3 and in this case PDO backslashes PostgreSQL as well. > > > > When I need to pull out the data something might be slashed and I > > > need to use stripslashes() or some str_replace() to make sure that > > > the slashes are removed. > > > > > > So what's the mistake here and what's the correct way to do it? > > > > I don't see a mistake. If the values come out of the database > > backslashed, then you need to remove them to work with the data. My > > only question would be whether you're sure the data is backslashed > > before PDO ever sees it. In which case, yes, you have a problem. > > No, the data is not slashed before PDO sees them. > > I didn't see a mistake either, but then what does Chris mean? Stripping > slashes from output from the DB alerts him to a design problem, and > I'm just wondering if there another way of doing things I just haven't > heard of then. > > > Paul > > > > -- > > Paul M. Foster > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
