[PHP] stripslashes() when reading from the DB
Hi,
I usually stripslashes() when I read the info from the database (MySQL).
Because the information was inserted after adding slashes, or the
system has magic_quotes_gpc set to ON.
I'd like to know, if I can do stripslashes() directly, as it is suposed
that all data was inserted into DB after slashing the vars. I mean,
should I check or not before if magic_quotes_gpc are on ?
As I know, magic_quotes_gpc has nothing to do with info readed from the
DB, as it only affects Get/Post/Cookie values.
I think to make a check like this:
$result = mysql_query(SELECT );
$row = mysql_fetch_assoc($result);
foreach ($row as $key = $value) {
$row[$key] = stripslashes($value);
}
But not sure if it really necessary, as i'm getting some confusing results.
Any help will be welcome
Regards,
Jordi.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] stripslashes() when reading from the DB
On Mon, 12 Jul 2004 20:45:12 +0200, Jordi Canals [EMAIL PROTECTED] wrote:
Hi,
I usually stripslashes() when I read the info from the database (MySQL).
Because the information was inserted after adding slashes, or the
system has magic_quotes_gpc set to ON.
I'd like to know, if I can do stripslashes() directly, as it is suposed
that all data was inserted into DB after slashing the vars. I mean,
should I check or not before if magic_quotes_gpc are on ?
As I know, magic_quotes_gpc has nothing to do with info readed from the
DB, as it only affects Get/Post/Cookie values.
I think to make a check like this:
$result = mysql_query(SELECT );
$row = mysql_fetch_assoc($result);
foreach ($row as $key = $value) {
$row[$key] = stripslashes($value);
}
But not sure if it really necessary, as i'm getting some confusing results.
What you *should* be doing is check for magic quotes when inserting into the DB.
if(!get_magic_quotes_gpc()) {
$value = mysql_real_escape_string($value);
}
$query = 'INSERT INTO table (field) VALUES ('.$value.')';
mysql_query($query);
--
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder
paperCrane --Justin Patrin--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] stripslashes() when reading from the DB
I usually stripslashes() when I read the info from the database (MySQL).
Because the information was inserted after adding slashes, or the
system has magic_quotes_gpc set to ON.
I'd like to know, if I can do stripslashes() directly, as it is suposed
that all data was inserted into DB after slashing the vars. I mean,
should I check or not before if magic_quotes_gpc are on ?
As I know, magic_quotes_gpc has nothing to do with info readed from the
DB, as it only affects Get/Post/Cookie values.
I think to make a check like this:
$result = mysql_query(SELECT );
$row = mysql_fetch_assoc($result);
foreach ($row as $key = $value) {
$row[$key] = stripslashes($value);
}
But not sure if it really necessary, as i'm getting some confusing results.
What you *should* be doing is check for magic quotes when inserting into the DB.
if(!get_magic_quotes_gpc()) {
$value = mysql_real_escape_string($value);
}
$query = 'INSERT INTO table (field) VALUES ('.$value.')';
mysql_query($query);
To add further comment. If you're required to run stripslashes() on
data coming out of your database then you did something wrong. Your
code would have essentially looked like the following before insertion:
$var = addslashes(addslashes($var));
Where 'magic_quotes_gpc = on' essentially executed one of those
addslashes(). The above use of get_magic_quotes_gpc() shows you
how to add slashes just once thus not having a bunch of \' type
badness inside your database. Remember backslashes are only
added to make proper strings for db insertion so the backslashes
should never actually make it into the database.
Regards,
Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] stripslashes() when reading from the DB
Jordi Canals wrote: I usually stripslashes() when I read the info from the database (MySQL). Because the information was inserted after adding slashes, or the system has magic_quotes_gpc set to ON. I remember being taught this lesson long ago. :) You do not need to strip slashes from the data being read from the database. If you find yourself having to do that, then you're escaping the data twice before it's inserted. You more than likely have magic_quotes_gpc enabled which escapes all incoming GET, POST and COOKIE data and then you are running addslashes() yourself. You should check the magic_quotes setting with get_magic_quotes_gpc() and then determine if you need to use addslashes or mysql_real_escape_string(). -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] stripslashes() when reading from the DB
Philip Olson wrote: I usually stripslashes() when I read the info from the database (MySQL). Because the information was inserted after adding slashes, or the system has magic_quotes_gpc set to ON. To add further comment. If you're required to run stripslashes() on data coming out of your database then you did something wrong. Your code would have essentially looked like the following before insertion: Wow, here where just my mistake :p I have magic_quotes_gpc at ON and I do not use addslashes. I use a custom .htaccess file to ensure magic_quotes_gpc are ON ... But in a class used to create the forms, there is a striplashes(), so the extrange I've seen. Removed stripslashes from the function, solved the problem. Just have to work to see how manage the form when data comes from a previos post (Which have slashes) or comes from DB (Which have NOT). Thanks to all to help me to clarify this point. Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
