Reply to Re: [PHP] mysql + addslashes + stripslashes

Your name:

Reply:


Posted by Bostjan Skufca @ domenca.com on 05/16/05 15:23

I do the following way to achieve portability:

For GET/POST/COOKIE variables:
1. check "magic_quotes_gpc" PHP setting - if enabled strip slashes from input
variables using stripslashes()
2. check input/anything
3. prior building SQL query escape stuff (mysql - mysql_real_escape_string(),
others use different escaping methods)
4. run query

For data that comes from SQL sources:
1. check magic_quotes_runtime PHP setting...


On Monday 16 May 2005 10:32, Petzo wrote:
> Hi,
>
> My question is about the norlmal behaviour of PHP and MYSQL but I cant
> explain it without a simple example. Thank you for reading:
>
> I have the following code:
> --------------------------------------------------------------------
> <?php
> print $t = $_POST['txt'];
> print $t = addslashes($t);
>
> @ $db = mysql_pconnect(xxx,xxx,xxx);
> mysql_select_db('test');
>
> $q = "update ttable set ffield='$t'";
> mysql_query($q);
>
> $q = "select * from ttable";
> $result = mysql_query($q);
> $bo = mysql_fetch_array($result);
>
> print $t = $bo['ffield'];
> print $t = stripslashes($t);
> ?>
> --------------------------------------------------------------------
>
>
> from a HTML form I send variable:
> --------------------------------------------------------------------
> ' \ \' \\ \\\
> --------------------------------------------------------------------
>
> after addshashes it becomes:
> --------------------------------------------------------------------
> \' \\ \\\' \\\\ \\\\\\
> --------------------------------------------------------------------
>
> after that it gets in the database
>
> but after I get it out it becomes:
> --------------------------------------------------------------------
> ' \ \' \\ \\\
> --------------------------------------------------------------------
> (without the backslashes!)
>
> and ofcourse after stripslashes it gets messed-up:
> --------------------------------------------------------------------
> ' ' \ \
> --------------------------------------------------------------------
>
> So my question is if this is a normal behaviour for PHP+MYSQL or it may
> vary indifferent conficurations or versions of both php or mysql.
> It's not a bad thing to be like that but I wonder if my code will behave
> the same at most systems.
>
> Thank you very much

--
Best regards,

Bostjan Skufca
system administrator

Domenca d.o.o.
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация