Posted by Cruella DeVille on 04/22/06 23:00

I must have som errors in my understanding of strip- vs addslashes.
I thought that if a user submitted eg a username, like this
username=siv' drop database test; I should addslashes to escape ' and "
and therefore prohibit the evil user to drop/change my database through
sql injection (my example may not be correct, but I believe it points
out that evil user can add sql commands through an input field.

But - I've been reading lots of code lately, and I see that others use
stripslashes insted of addslashes. And my question is why. What did I
miss? Has it something to do with gpc_magic_quotes?

Thanks!

• Next in forum: Re: strip- vs addslashes
• Prev in forum: Re: using UPDATE in MySQL
• Thread view: strip- vs addslashes

[Reply to this message]