473,686 Members | 3,147 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

[FAQ] addslashes() and striplashes()

Q. How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?

A. It depends on the setting of the php.ini directive
"magic_quotes_g pc". By default, magic_quotes_gp c is On.

If magic_quotes_gp c is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gp c is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gp c setting with the
get_magic_quote s_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gp c is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the database.

Refer:
http://www.php.net/manual/en/function.addslashes.php
http://www.php.net/manual/en/function.stripslashes.php
http://www.php.net/manual/en/functio...quotes-gpc.php

+++++
@todo grammar checking by native English speaker. Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not sure.

JP
--
Sorry, <de*****@cauce. org> is a spam trap.
Real e-mail address unavailable. 5000+ spams per month.
Jul 17 '05 #1
4 18977
Jan Pieter Kunst wrote:
Q. How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?

A. It depends on the setting of the php.ini directive
"magic_quotes_g pc". By default, magic_quotes_gp c is On.

If magic_quotes_gp c is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gp c is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gp c setting with the
get_magic_quote s_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gp c is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the database.

Refer:
http://www.php.net/manual/en/function.addslashes.php
http://www.php.net/manual/en/function.stripslashes.php
http://www.php.net/manual/en/functio...quotes-gpc.php

+++++
@todo grammar checking by native English speaker.
Better than most Americans.
Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not sure.
Probably yes. Actually there may be several questions that could all route
to the same answer, users could be having a variety of problems that the
information above is relevant to, so how about:

Q: I have heard you should always use "addslashes " before putting user input
into a database. Why is that?

Q: How do I handle single quotes in user input, I am getting errors trying
to INSERT and UPDATE.

Q: Do I need Addslashes on data coming from a database server and going to
the browser?

Q: Why do I have backslashes in my form data?

Q: What do I need to do to "sanitize" user input so it is database-safe?

JP


--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )
Jul 17 '05 #2
Q: How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?
Q: How do I handle single quotes in user input, I am getting errors
trying
to INSERT and UPDATE.
Q: Why do I have backslashes in my form data?
Q: What do I need to do to "sanitize" user input so it is
database-safe?

A. It depends on the setting of the php.ini directive
"magic_quotes_g pc". By default, magic_quotes_gp c is On.

If magic_quotes_gp c is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gp c is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gp c setting with the
get_magic_quote s_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gp c is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the
database.

Refer:
http://www.php.net/addslashes
http://www.php.net/stripslashes
http://www.php.net/get_magic_quotes_gpc

+++++
@revision 1 Initial
@revision 2 Merged Kenneth Downs comments. Shortened document URLs
@author Jan Pieter Kunst, Kenneth Downs
@todo grammar checking by native English speaker. Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not
sure.
@todo Bring this question to main FAQ Thread. (missed this one in Rev 5)

Jul 17 '05 #3
Q: How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?
Q: How do I handle single quotes in user input, I am getting errors
trying
to INSERT and UPDATE.
Q: Why do I have backslashes in my form data?
Q: What do I need to do to "sanitize" user input so it is
database-safe?

A. It depends on the setting of the php.ini directive
"magic_quotes_g pc". By default, magic_quotes_gp c is On.

If magic_quotes_gp c is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gp c is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gp c setting with the
get_magic_quote s_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gp c is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the
database.

Refer:
http://www.php.net/addslashes
http://www.php.net/stripslashes
http://www.php.net/get_magic_quotes_gpc

------------------
Q. I'm getting extra \ in my form field
A. You are using Get/Post/Cookie (GPC) data without stripping the
magically [1] added quotes (which are on by default).
If aren't getting the data from GPC magic_quotes_ru ntime might be
on (off by default)

Q. When to escape?
A. Only use the right escape method at the moment it is needed.
What the right escape method actually is depends on where the data
will be used. If you are inserting the string $bar into eg mysql
you should escape it with mysql_real_esca pe_string() [2]
$query="UPDATE foo SET bar='".mysql_re al_escape_strin g($bar)."'";
the same base shoule be htmlescaped [3] when used in html
echo "<a
href='foo.php?b ar=".urlencode( $bar)."'>".html specialchars($b ar,ENT_QUOTES). "</a>";
(also note that $bar needs to be urlescaped [4] if used in an URL)
So in oorder to make this work you should always keep the raw
unescaped values (this is why (IMHO) magic_quotes is evil). To make
sure you are actually working with the raw values you should
sanitize
GPC data with something like this (untested and incomplete code):
function slashed($t)
{
if(get_magic_qu otes_gpc())
{
if(is_array($t) && count($t))
for($i=0;$i<cou nt($t);$i++)
$t[$i]=slashed($t[$i]);
else
$t=stripslashes ($t);
}
return $t;
}
$_GET=slashed($ _GET);
$_POST=slashed( $_POST);
$_REQUEST=slash ed($_REQUEST);
$_COOKIE=slashe d($_COOKIE);

Q. When and how to sanitize data
A. Like escaping it depends on usage. If know data in a sql row should
be an int, you could do something like this:
$query="UPDATE foo SET bar='".((int)$b ar)."'";
If the data should contain a dutch style postalcode:
if(!preg_match( "/^\d{4}\s*[A-Za-z]{2}$/",trim($zip ))
die("error in zip");
But IMHO you shouldn't try to fix obviously wrong data.

[1] http://www.php.net/magicquotes
[2] http://www.php.net/mysql_real_escape_string
[3] http://www.php.net/htmlspecialchars
[4] http://www.php.net/urlencode

+++++
@revision 1 Initial
@revision 2 Merged Kenneth Downs comments. Shortened document URLs
@revision 3 Shortened document URLs. Brining Daniel Tryba's
<news:42******* **************@ news6.xs4all.nl > entry here so that it
won't be get orphaned
@author Jan Pieter Kunst, Kenneth Downs, Daniel Tryba
@todo grammar checking by native English speaker. Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not
sure.
@todo Bring this question to main FAQ Thread. (missed this one in Rev
5). Merge the Q&A's appropriately

Jul 17 '05 #4
R. Rajesh Jeba Anbiah <ng**********@r ediffmail.com> wrote:
If aren't getting the data from GPC magic_quotes_ru ntime might be
on (off by default)
Time for a zpellchecker/thesaurus:

Should be:
When not getting the data

the same base shoule be htmlescaped [3] when used in html ^^^^ $bar
So in oorder to make this work you should always keep the raw

^^^^^^ order

Jul 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
3150
by: leegold2 | last post by:
When I look directly in my db field I see a difference between these two functions. The top line (seebelow) was inserted with addslashes vs. the bottom line where I used mysql_real_escape_string. Obviously addslashes really escapes the apostrophe. But I thought mysql_real_escape_string is supposed to do that too - can anyone explain? Thanks, Lee G. This is Aviva\'s website. This is Sarah's website.
11
2291
by: Dave Smithz | last post by:
Having adopted someone else's PHP cope and completing a crash course in the language I came across a (probably common) problem with the current code. On a registration form, whenever users names have an apostrophe in them it causes problems as they do not get added to the DB correctly for reasons that immediately become apparent. Before implementing my own workaround I noticed the functions. addslashes, stripslashes and directive...
2
7633
by: Marcus | last post by:
Hello, My php.ini file currently has magic quotes set to On, but I have read that it is better to code with it off. Currently with magic quotes on, I only use stripslashes() to properly format strings that are displayed on the screen. I know that now with magic quotes off, I will have to manually handle escaping special characters with mysql_real_escape_string() or addslashes().
2
3369
by: Cruella DeVille | last post by:
I must have som errors in my understanding of strip- vs addslashes. I thought that if a user submitted eg a username, like this username=siv' drop database test; I should addslashes to escape ' and " and therefore prohibit the evil user to drop/change my database through sql injection (my example may not be correct, but I believe it points out that evil user can add sql commands through an input field. But - I've been reading lots of...
4
2877
by: Areric | last post by:
hey all, I recently got in a bit of a fight with my webhost because he made some changes to my server. Specifically they updated php without telling me. They are now running PHP 4.4.1 (not sure what it was before). Anyway i mention that cause i had a script that uploaded the content of an image to a DB, then displayed it straight from the DB using gdlib. Before i store the content of the image i did an addslashes() and before i...
5
1924
by: lawrence k | last post by:
This seems so simple, I can't believe its tripping me up. I've a database class with a query method that looks like this: function query($query=false) { global $controller; // $query = stripslashes($query); // $query = addslashes($query); $result = mysql_query($query);
15
4138
by: =?ISO-8859-1?Q?J=F8rn?= Dahl-Stamnes | last post by:
Hello folks, I need some help/advice FAST. I have problems with addslashes on my web-servers. After uploading a file, I read the uploaded file, use addslashes on the read data and then insert it into a blob field in a MySQL database. The problem is that this works fine on my internal test web-server (running under RedHat 7.3). But on my production web-server (running Fedora Core 4)
5
6632
by: Gilles Ganault | last post by:
Hello As the user may type strings that contain verboten characters like apostrophes, I need to go through the $_POST array, and use addslashes() on each and every item But it doesn't make any difference: ========== <?php
3
1471
by: FAQ server | last post by:
----------------------------------------------------------------------- FAQ Topic - How do I get a perl/asp/php variable into client-side js? ----------------------------------------------------------------------- Use the server-side language to generate the javascript: var jsvar="<%= aspvar %>"; var jsvar="<?php echo $phpvar ?>";
0
8581
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, weíll explore What is ONU, What Is Router, ONU & Routerís main usage, and What is the difference between ONU and Router. Letís take a closer look ! Part I. Meaning of...
0
9050
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8932
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8766
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8778
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
4307
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4528
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2944
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
1933
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.