Results 1 to 7 of 7
  1. #1
    Join Date
    Jul 2005
    Posts
    77

    PHP: addslashes and stripslashes

    In a HTML form text field, I enter:
    What's up?

    Using PHP, the input is written to a varchar field in a MySQL table. When I look at the data in the table, it shows as:
    What's up?

    Using PHP, the data is read from the MySQL table. When displayed on a webpage, it shows as:
    What's up?

    Everything seems to work as it should. So, when exactly do I need to use addslashes and stripslashes functions on the input or output data?

  2. #2
    Join Date
    Jul 2004
    Location
    Scotland, UK
    Posts
    81
    If your not using either of the 2 functions (or one of the similar ones) then its probably likely that your php install has been setup with Magic Quotes enabled. The PHP manual has a good entry on magic quotes

    Programmers who are writing for portability and performance will tend to turn magic_quotes_runtime off to ensure that 1) their code can be run on systems which might have it disabled by default and 2) execution of the script doesn't take longer that it needs to.

    Hope thats helped
    Scott - My Spiel

  3. #3
    Join Date
    Jul 2005
    Posts
    77
    Thank you for the reference.

    In my hosting account,
    magic_quotes_gpc is on
    magic_quotes_runtime is off

    I guess this is why it works without using addslashes and stripslashes.

    There is a user comment on the page referred to above that says that you should do a stripslashes on the input before using it and do an addslashes before it is saved to the table. Will that work for all conditions regardless of the magic_quotes settings?

  4. #4
    Join Date
    Feb 2003
    Location
    Connecticut
    Posts
    5,441
    It's to prevent an SQL injection. An SQL injection is when someone writes SQL into an input instead of text, in an attempt to do malicious things to your database.

    What addslashes does is escape the single and double quote characters, so that someone cannot end the current SQL code and start another query with their own.

    The problem with addslashes is that it borks up your input, requires you to stripslashes a lot, and isn't 100% effective. The function mysql_real_escape_string is preferred. Also, if the string is an interger, you can put (int) before it, to tell the server that the string is an interger, not text, and therefore it definitely is not SQL.

    Now sometimes when magic_quotes is on, it will automatically addslashes for you, so you'll also want to stripslashes all content if it is.

    Here's an example of what I do:
    PHP Code:
            function cleanVar($variable) {
                
    $variable = (get_magic_quotes_gpc() == 1) ? stripslashes($variable) : $variable;
                if(
    is_numeric($variable)) {
                    return (int)
    $variable;
                }
                else {
                    return 
    mysql_real_escape_string($variable);
                }
            } 
    To use it, just do something like
    PHP Code:
    $query mysql_query('SELECT * FROM `posts` WHERE `author`="'.cleanVar($author).'"'); 
    and you should be all set.

    HTH.

  5. #5
    Join Date
    Jul 2005
    Posts
    77
    Thank you for your explanation and example.

  6. #6
    Join Date
    May 2004
    Location
    Singapore
    Posts
    262
    magic_quotes_gpc is on
    That means that your incoming variables have addslashes() applied to them automatically. You dont need to use addslashes() again when using the variables in an SQL statement.

    Still it is often better to take into account the fact that magic_quotes_gpc may be off, and use a method similiar to what DanX described.

    Note that data coming from your database does not need to have stripslashes() applied to it. stripslashes() would be used when magic_quotes_gpc is on, and you dont want your variable to be escaped.
    #include<cstdio>
    char*s="#include<cstdio>%cchar*s=%c%s%c;%cint main(){std::printf(s,10,34,s,34,10);}";
    int main(){std::printf(s,10,34,s,34,10);}

  7. #7
    You always want to test (not depend on) the value of magic_quotes setting in your code.

    Better yet though, use something like SafeSQL to filter your query parameters through.. its very nice!
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •