Joseph Crawford wrote:
Jason, can you explain why stripslashes should not be used on data taken from the db? when you store data in the db i thought it was good practice to addslashes, when you retrieve from the db, you will need to use stripslashes to remove the extra \
The slashes are added for the database, not to be stored with the data.
for e.g. - to store: "I've just eaten."
you do: "INSERT INTO status (hunger) values ('I\'ve just eaten.');"
I was always under the impression that single quotes (assuming you are delineating you args with single quotes) should (officially) be escaped with another single quote - although backslash also works:
"INSERT INTO status (hunger) values ('I''ve just eaten.');"
...alot of really old code of mine is full of stuff like:
$var = str_replace("'","''",$var);
but maybe that just MTAM(tm) working for me - (thats a reference to a bit of humour from another thread btw - MTAM is not a technology :-)
which stores: "I've just eaten."
It's not good practice - it's required (if you're not using a mechanism that already handles this - such as the latest mysqli bind functions) - otherwise the query is invalid.
nice to learn that mysqli is getting it 'right' :-) [makes mental note to look into it!]
You may be thinking of running 'htmlentities' when retrieving data - which is necessary in some cases, depending on where you're using it (most notably - in html where you don't want html output).
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php