In a HTML form text field, I enter:
What's up?

Using PHP, the input is written to a varchar field in a MySQL table. When I look at the data in the table, it shows as:
What's up?

Using PHP, the data is read from the MySQL table. When displayed on a webpage, it shows as:
What's up?

Everything seems to work as it should. So, when exactly do I need to use addslashes and stripslashes functions on the input or output data?

If your not using either of the 2 functions (or one of the similar ones) then its probably likely that your php install has been setup with Magic Quotes enabled. The PHP manual has a good entry on magic quotes (http://uk.php.net/magic_quotes)

Programmers who are writing for portability and performance will tend to turn magic_quotes_runtime off to ensure that 1) their code can be run on systems which might have it disabled by default and 2) execution of the script doesn't take longer that it needs to.

Hope thats helped :)

Thank you for the reference.

In my hosting account,
magic_quotes_gpc is on
magic_quotes_runtime is off

I guess this is why it works without using addslashes and stripslashes.

There is a user comment on the page referred to above that says that you should do a stripslashes on the input before using it and do an addslashes before it is saved to the table. Will that work for all conditions regardless of the magic_quotes settings?

It's to prevent an SQL injection. An SQL injection is when someone writes SQL into an input instead of text, in an attempt to do malicious things to your database.

What addslashes does is escape the single and double quote characters, so that someone cannot end the current SQL code and start another query with their own.

The problem with addslashes is that it borks up your input, requires you to stripslashes a lot, and isn't 100% effective. The function mysql_real_escape_string is preferred. Also, if the string is an interger, you can put (int) before it, to tell the server that the string is an interger, not text, and therefore it definitely is not SQL.

Now sometimes when magic_quotes is on, it will automatically addslashes for you, so you'll also want to stripslashes all content if it is.

Here's an example of what I do: function cleanVar($variable) {
$variable = (get_magic_quotes_gpc() == 1) ? stripslashes($variable) : $variable;
if(is_numeric($variable)) {
return (int)$variable;
}
else {
return mysql_real_escape_string($variable);
}
} To use it, just do something like $query = mysql_query('SELECT * FROM `posts` WHERE `author`="'.cleanVar($author).'"'); and you should be all set.

HTH.

Thank you for your explanation and example.

magic_quotes_gpc is on
That means that your incoming variables have addslashes() applied to them automatically. You dont need to use addslashes() again when using the variables in an SQL statement.

Still it is often better to take into account the fact that magic_quotes_gpc may be off, and use a method similiar to what DanX described.

Note that data coming from your database does not need to have stripslashes() applied to it. stripslashes() would be used when magic_quotes_gpc is on, and you dont want your variable to be escaped.

You always want to test (not depend on) the value of magic_quotes setting in your code.

Better yet though, use something like SafeSQL to filter your query parameters through.. its very nice!