Re: [PHP] storing single and double quote in MySQL

Wed, 24 May 2006 07:29:53 -0700 

after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(

Before, I used addslash() before I insert data in database and strislshe()
to show them on screen.

Later found it's not good and start using mysql_real_escae_string() to add
to DB and stripslashe() to show on screen.

But, also, I thought, mysql_real_escape_string() is "filter" for
everything, e.g. lets have three links (add, delete, edit) as
<a href=index.php?action=add&rec_id=$rec_id>Add new</a>
<a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
<a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
and was doing this way:
#index.php
<?php
if($_GET['action'])
{
        $action = mysql_real_escape_string($_GET['action']);
        $rec_id = mysql_real_escape_string($_GET['rec_id']);
        switch($action)
        {
                case 'add':
                        // add new record
                break;

                case 'edit':
                        // edit record
                break;

                case 'delete':
                        // delete record
                break;
        }
}
?>

it means that $action I will never store in DB, neither show on screen. I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?

I', really confused.


>
>
> Richard Lynch wrote:
>
>>On Mon, May 22, 2006 11:37 am, Brad Bonkoski wrote:
>>
>>
>>>http://www.php.net/manual/en/function.stripslashes.php
>>>if you have to dump that information back to the users.
>>>
>>>
>>
>>If you are using http://php.net/stripslashes on data coming out of
>>your database, you are DEFINITELY doing something wrong acquiring that
>>data.
>>
>>Stripslashes is "correctly" used ONLY when:
>>1. You have Magic Quotes on, and
>>2. You need to display/use the incoming data for something other than
>>MySQL in the same script that does the INSERT
>>
>>
>>Even then, you really ought to turn off Magic Quotes and migrate to
>>http://php.net/mysql_real_escape_string
>>
>>
>>
> Thanks for your constructive criticism.... Sorry for the original bad
> advice.
>
> So, when the magic_quotes goes away in future version, with
> stripslashes() also go away?
>
> -Brad
>
>
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to