Re: [PHP] mysql + addslashes + stripslashes

Mon, 16 May 2005 06:23:28 -0700 

I do the following way to achieve portability:

For GET/POST/COOKIE variables:
1. check "magic_quotes_gpc" PHP setting - if enabled strip slashes from input 
variables using stripslashes()
2. check input/anything
3. prior building SQL query escape stuff (mysql - mysql_real_escape_string(), 
others use different escaping methods)
4. run query

For data that comes from SQL sources:
1. check magic_quotes_runtime PHP setting...


On Monday 16 May 2005 10:32, Petzo wrote:
> Hi,
>
>     My question is about the norlmal behaviour of PHP and MYSQL but I cant
> explain it without a simple example. Thank you for reading:
>
>     I have the following code:
> --------------------------------------------------------------------
> <?php
> print $t = $_POST['txt'];
> print $t = addslashes($t);
>
>    @ $db = mysql_pconnect(xxx,xxx,xxx);
>    mysql_select_db('test');
>
>    $q = "update ttable set ffield='$t'";
>    mysql_query($q);
>
>    $q = "select * from ttable";
>    $result = mysql_query($q);
>    $bo = mysql_fetch_array($result);
>
> print $t = $bo['ffield'];
> print $t = stripslashes($t);
> ?>
> --------------------------------------------------------------------
>
>
> from a HTML form I send variable:
> --------------------------------------------------------------------
> ' \ \' \\ \\\
> --------------------------------------------------------------------
>
> after addshashes it becomes:
> --------------------------------------------------------------------
> \' \\ \\\' \\\\ \\\\\\
> --------------------------------------------------------------------
>
> after that it gets in the database
>
> but after I get it out it becomes:
> --------------------------------------------------------------------
> ' \ \' \\ \\\
> --------------------------------------------------------------------
> (without the backslashes!)
>
> and ofcourse after stripslashes it gets messed-up:
> --------------------------------------------------------------------
> ' ' \ \
> --------------------------------------------------------------------
>
> So my question is if this is a normal behaviour for PHP+MYSQL or it may
> vary indifferent conficurations or versions of both php or mysql.
> It's not a bad thing to be like that but I wonder if my code will behave
> the same at most systems.
>
> Thank you very much

-- 
Best regards,

Bostjan Skufca
system administrator

Domenca d.o.o. 
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to