To view the terms under which this email is distributed, please go to

On 18 January 2005 17:11, Joseph Crawford wrote:

> Jason, can you explain why stripslashes should not be used on data
> taken from the db? when you store data in the db i thought it was good
> practice to addslashes, when you retrieve from the db, you will need
> to use stripslashes to remove the extra \

It's simple.  Suppose you have a script that looks a bit like this (but
hopefully with more input validation and error checking!):

    $value = addslashes($_POST['text']); // magic_quotes_gpc off

    $sql = "INSERT INTO tbl SET fld = '$value'";


Now suppose the user types this into the 'text' form field:

    Here's an apostrophe

Here's what happens:

  PHP does this:

    $value is set to: Here\'s an apostrophe

    $sql becomes:     INSERT INTO tbl SET fld = 'Here\'s an apostrophe'

    Which is sent to the database via database_execute()

  The DATABASE now does this:

    Receives the SQL statement: INSERT INTO tbl SET fld = 'Here\'s an

        (Note how the \ escape is required here to stop the field
        value from terminating prematurely -- but this escape is
        aimed at the *database*, and is not a PHP escape.  A lot of
        confusion seems to arise here for databases which use the
        same \ escape character as PHP.)

    Extracts the value:           Here\'s an apostrophe
    and de-escapes it to give:    Here's an apostrophe

    Which gets inserted into the database.

So the value inserted into the database is the unescaped original, and on
retrieval there are no \ characters in the retrieved value to be

Hope that's clearer than mud, and helps you understand what's going on



Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS,  LS6 3QS,  United Kingdom
Tel: +44 113 283 2600 extn 4730      Fax:  +44 113 283 3211 

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to