Martin Norland wrote:
Joseph Crawford wrote:

Jason, can you explain why stripslashes should not be used on data
taken from the db? when you store data in the db i thought it was good
practice to addslashes, when you retrieve from the db, you will need
to use stripslashes to remove the extra \

The slashes are added for the database, not to be stored with the data.

for e.g. - to store:  "I've just eaten."

you do: "INSERT INTO status (hunger) values ('I\'ve just eaten.');"

I was always under the impression that single quotes (assuming you are delineating you args with single quotes) should (officially) be escaped with another single quote - although backslash also works:

"INSERT INTO status (hunger) values ('I''ve just eaten.');"

...alot of really old code of mine is full of stuff like:

$var = str_replace("'","''",$var);

but maybe that just MTAM(tm) working for me - (thats a reference to a bit of humour from another thread btw - MTAM is not a technology :-)

which stores: "I've just eaten."

It's not good practice - it's required (if you're not using a mechanism that already handles this - such as the latest mysqli bind functions) - otherwise the query is invalid.

nice to learn that mysqli is getting it 'right' :-) [makes mental note to look into it!]

You may be thinking of running 'htmlentities' when retrieving data - which is necessary in some cases, depending on where you're using it (most notably - in html where you don't want html output).


-- PHP Database Mailing List ( To unsubscribe, visit:

Reply via email to