469,312 Members | 2,440 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,312 developers. It's quick & easy.

[FAQ] addslashes() and striplashes()

Q. How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?

A. It depends on the setting of the php.ini directive
"magic_quotes_gpc". By default, magic_quotes_gpc is On.

If magic_quotes_gpc is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gpc is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gpc setting with the
get_magic_quotes_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gpc is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the database.

Refer:
http://www.php.net/manual/en/function.addslashes.php
http://www.php.net/manual/en/function.stripslashes.php
http://www.php.net/manual/en/functio...quotes-gpc.php

+++++
@todo grammar checking by native English speaker. Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not sure.

JP
--
Sorry, <de*****@cauce.org> is a spam trap.
Real e-mail address unavailable. 5000+ spams per month.
Jul 17 '05 #1
4 18661
Jan Pieter Kunst wrote:
Q. How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?

A. It depends on the setting of the php.ini directive
"magic_quotes_gpc". By default, magic_quotes_gpc is On.

If magic_quotes_gpc is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gpc is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gpc setting with the
get_magic_quotes_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gpc is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the database.

Refer:
http://www.php.net/manual/en/function.addslashes.php
http://www.php.net/manual/en/function.stripslashes.php
http://www.php.net/manual/en/functio...quotes-gpc.php

+++++
@todo grammar checking by native English speaker.
Better than most Americans.
Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not sure.
Probably yes. Actually there may be several questions that could all route
to the same answer, users could be having a variety of problems that the
information above is relevant to, so how about:

Q: I have heard you should always use "addslashes" before putting user input
into a database. Why is that?

Q: How do I handle single quotes in user input, I am getting errors trying
to INSERT and UPDATE.

Q: Do I need Addslashes on data coming from a database server and going to
the browser?

Q: Why do I have backslashes in my form data?

Q: What do I need to do to "sanitize" user input so it is database-safe?

JP


--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)
Jul 17 '05 #2
Q: How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?
Q: How do I handle single quotes in user input, I am getting errors
trying
to INSERT and UPDATE.
Q: Why do I have backslashes in my form data?
Q: What do I need to do to "sanitize" user input so it is
database-safe?

A. It depends on the setting of the php.ini directive
"magic_quotes_gpc". By default, magic_quotes_gpc is On.

If magic_quotes_gpc is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gpc is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gpc setting with the
get_magic_quotes_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gpc is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the
database.

Refer:
http://www.php.net/addslashes
http://www.php.net/stripslashes
http://www.php.net/get_magic_quotes_gpc

+++++
@revision 1 Initial
@revision 2 Merged Kenneth Downs comments. Shortened document URLs
@author Jan Pieter Kunst, Kenneth Downs
@todo grammar checking by native English speaker. Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not
sure.
@todo Bring this question to main FAQ Thread. (missed this one in Rev 5)

Jul 17 '05 #3
Q: How do I use addslashes() and stripslashes() when dealing with HTML
forms and database INSERTs, UPDATEs and SELECTs?
Q: How do I handle single quotes in user input, I am getting errors
trying
to INSERT and UPDATE.
Q: Why do I have backslashes in my form data?
Q: What do I need to do to "sanitize" user input so it is
database-safe?

A. It depends on the setting of the php.ini directive
"magic_quotes_gpc". By default, magic_quotes_gpc is On.

If magic_quotes_gpc is On:
Use stripslashes() for data which originates from an HTML form and is
shown in an HTML page after a roundtrip to the server.
Do not use addslashes().

If magic_quotes_gpc is Off:
Use addslashes() when INSERTing or UPDATEing data into the database.
Do not use stripslashes().

You can check the magic_quotes_gpc setting with the
get_magic_quotes_gpc() function.

Contrary to popular belief, it should never be necessary to use
stripslashes() on data which originates from a database SELECT. The
slashes which are added manually with addslashes(), or automagically
when magic_quotes_gpc is On, are only used to properly escape the data
before an INSERT or UPDATE and are themselves not stored in the
database.

Refer:
http://www.php.net/addslashes
http://www.php.net/stripslashes
http://www.php.net/get_magic_quotes_gpc

------------------
Q. I'm getting extra \ in my form field
A. You are using Get/Post/Cookie (GPC) data without stripping the
magically [1] added quotes (which are on by default).
If aren't getting the data from GPC magic_quotes_runtime might be
on (off by default)

Q. When to escape?
A. Only use the right escape method at the moment it is needed.
What the right escape method actually is depends on where the data
will be used. If you are inserting the string $bar into eg mysql
you should escape it with mysql_real_escape_string() [2]
$query="UPDATE foo SET bar='".mysql_real_escape_string($bar)."'";
the same base shoule be htmlescaped [3] when used in html
echo "<a
href='foo.php?bar=".urlencode($bar)."'>".htmlspeci alchars($bar,ENT_QUOTES)."</a>";
(also note that $bar needs to be urlescaped [4] if used in an URL)
So in oorder to make this work you should always keep the raw
unescaped values (this is why (IMHO) magic_quotes is evil). To make
sure you are actually working with the raw values you should
sanitize
GPC data with something like this (untested and incomplete code):
function slashed($t)
{
if(get_magic_quotes_gpc())
{
if(is_array($t) && count($t))
for($i=0;$i<count($t);$i++)
$t[$i]=slashed($t[$i]);
else
$t=stripslashes($t);
}
return $t;
}
$_GET=slashed($_GET);
$_POST=slashed($_POST);
$_REQUEST=slashed($_REQUEST);
$_COOKIE=slashed($_COOKIE);

Q. When and how to sanitize data
A. Like escaping it depends on usage. If know data in a sql row should
be an int, you could do something like this:
$query="UPDATE foo SET bar='".((int)$bar)."'";
If the data should contain a dutch style postalcode:
if(!preg_match("/^\d{4}\s*[A-Za-z]{2}$/",trim($zip))
die("error in zip");
But IMHO you shouldn't try to fix obviously wrong data.

[1] http://www.php.net/magicquotes
[2] http://www.php.net/mysql_real_escape_string
[3] http://www.php.net/htmlspecialchars
[4] http://www.php.net/urlencode

+++++
@revision 1 Initial
@revision 2 Merged Kenneth Downs comments. Shortened document URLs
@revision 3 Shortened document URLs. Brining Daniel Tryba's
<news:42*********************@news6.xs4all.nl> entry here so that it
won't be get orphaned
@author Jan Pieter Kunst, Kenneth Downs, Daniel Tryba
@todo grammar checking by native English speaker. Maybe the 'Q' should
be something like "Why do I have backslashes in my form data"? Not
sure.
@todo Bring this question to main FAQ Thread. (missed this one in Rev
5). Merge the Q&A's appropriately

Jul 17 '05 #4
R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote:
If aren't getting the data from GPC magic_quotes_runtime might be
on (off by default)
Time for a zpellchecker/thesaurus:

Should be:
When not getting the data

the same base shoule be htmlescaped [3] when used in html ^^^^ $bar
So in oorder to make this work you should always keep the raw

^^^^^^ order

Jul 17 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by leegold2 | last post: by
2 posts views Thread by Marcus | last post: by
2 posts views Thread by Cruella DeVille | last post: by
4 posts views Thread by Areric | last post: by
15 posts views Thread by =?ISO-8859-1?Q?J=F8rn?= Dahl-Stamnes | last post: by
5 posts views Thread by Gilles Ganault | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
1 post views Thread by Geralt96 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.