On 28 January 2004 12:31, Will wrote: > I'm a little confused with these functions. How I here you > ask. Well I thought I understood what they were for: > Escaping characters that might cause a problem when you enter > your data into a database query. i.e. \ ' " > > Anyway what is confusing me is, say I have a string which > contains an ' e.g: that's mine. I would use addslashes so > that the query wouldn't upset mysql when it is entered. > Viewing the data entry via phpmyadmin the data is displayed > as: that's mine (not: that\'s mine) Meaning that when I > extract the data from the database I need to use stripslashes > returning the string to: that's mine.
Correct so far. Let's do a little visualisation, using your example string of "that's mine": * Start with the string you want to insert: that's mine * You apply addslashes to "escape" problematic characters. This results in: that\'s mine * The database takes this string, translates the escape sequence to its unescaped equivalent, and inserts the result: that's mine So, by this process, you have inserted into the database exactly what you wanted -- in the process, it gets "escaped" in PHP, and then unescaped by the database. The bottom line here is, the slashes do *not* get inserted -- they are there simply to ensure that any potentially problematic characters get stored correctly. Now, when you retrieve this data, PHP takes a look at the setting of magic_quotes_runtime, and if it is On does an on-the-fly addslashes() on the retrieved value; so the result, when displayed will be: * with magic_quotes_runtime = On: that\'s mine * with magic_quotes_runtime = Off: that's mine So, with magic_quotes_runtime Off, you get back exactly what you put in, which is good for displaying on, say, an HTML page; with it On, you get a version that's good for using in, say, another database query, but needs stripslashes()ing before you display it. Now to the meat of your query: > However recently I encrypted some data which I stored in the > database. The string contained a \ which I added slashes to > when entered in to the database. But as the database appears > to strips the first slash off the double slash automatically. > Upon retrieving the data and strip the slashes off it, my > data is now corrupt as there weren't double slashes it was > just a single (like it was supposed to be) and that got > removed by the function instead of the extra one. Well, it's important to note here that the encryption of a string containing problematic characters may not, itself, contain them -- and, of course, vice versa! -- so the trick is to apply addslashes() (or whatever) to the values *inserted into the database*. This means that the sequence should be: * encrypt string * apply addslashes * insert into database The database will, as before, deslash the string as it is inserted, so that when you later retrieve the encrypted value and decrypt it you will properly get back what you started with. If you addslashes() and then encrypt, you've just incorporated the added slashes into the encrypted value -- and you have no protection against encrypted values which themselves contain quotes or slashes. > As I haven't had any data that contains a \ in it before I've > never noticed it's not made any difference before. > So Does this basically mean that there is no point using > stripslashes on the data you extract from the database. If you've correctly addslashes()ed it on the way in, then yes, there is no point -- since the added slashes never actually make it into the database. (Indeed, you may incorrectly remove slashes that were in the original data!) Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
