RE: [PHP-DB] mysql - image storing

Tue, 18 Jan 2005 12:45:16 -0800 

To view the terms under which this email is distributed, please go to 
http://disclaimer.leedsmet.ac.uk/email.htm



On 18 January 2005 17:11, Joseph Crawford wrote:

> Jason, can you explain why stripslashes should not be used on data
> taken from the db? when you store data in the db i thought it was good
> practice to addslashes, when you retrieve from the db, you will need
> to use stripslashes to remove the extra \

It's simple.  Suppose you have a script that looks a bit like this (but
hopefully with more input validation and error checking!):


    $value = addslashes($_POST['text']); // magic_quotes_gpc off

    $sql = "INSERT INTO tbl SET fld = '$value'";

    database_execute($sql);

Now suppose the user types this into the 'text' form field:

    Here's an apostrophe

Here's what happens:

  PHP does this:

    $value is set to: Here\'s an apostrophe

    $sql becomes:     INSERT INTO tbl SET fld = 'Here\'s an apostrophe'

    Which is sent to the database via database_execute()

  The DATABASE now does this:

    Receives the SQL statement: INSERT INTO tbl SET fld = 'Here\'s an
apostrophe'

        (Note how the \ escape is required here to stop the field
        value from terminating prematurely -- but this escape is
        aimed at the *database*, and is not a PHP escape.  A lot of
        confusion seems to arise here for databases which use the
        same \ escape character as PHP.)

    Extracts the value:           Here\'s an apostrophe
    and de-escapes it to give:    Here's an apostrophe

    Which gets inserted into the database.

So the value inserted into the database is the unescaped original, and on
retrieval there are no \ characters in the retrieved value to be
stripslashes()ed.

Hope that's clearer than mud, and helps you understand what's going on
better.

Cheers!

Mike

---------------------------------------------------------------------
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730      Fax:  +44 113 283 3211 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to