To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm On 18 January 2005 17:11, Joseph Crawford wrote: > Jason, can you explain why stripslashes should not be used on data > taken from the db? when you store data in the db i thought it was good > practice to addslashes, when you retrieve from the db, you will need > to use stripslashes to remove the extra \ It's simple. Suppose you have a script that looks a bit like this (but hopefully with more input validation and error checking!): $value = addslashes($_POST['text']); // magic_quotes_gpc off $sql = "INSERT INTO tbl SET fld = '$value'"; database_execute($sql); Now suppose the user types this into the 'text' form field: Here's an apostrophe Here's what happens: PHP does this: $value is set to: Here\'s an apostrophe $sql becomes: INSERT INTO tbl SET fld = 'Here\'s an apostrophe' Which is sent to the database via database_execute() The DATABASE now does this: Receives the SQL statement: INSERT INTO tbl SET fld = 'Here\'s an apostrophe' (Note how the \ escape is required here to stop the field value from terminating prematurely -- but this escape is aimed at the *database*, and is not a PHP escape. A lot of confusion seems to arise here for databases which use the same \ escape character as PHP.) Extracts the value: Here\'s an apostrophe and de-escapes it to give: Here's an apostrophe Which gets inserted into the database. So the value inserted into the database is the unescaped original, and on retrieval there are no \ characters in the retrieved value to be stripslashes()ed. Hope that's clearer than mud, and helps you understand what's going on better. Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: m.ford@xxxxxxxxxxxxxx Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
