cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Simple Question to understand - Addslashes

Newsgroup_User
LEGEND ,
Nov 30, 2006 Nov 30, 2006
Addslashes - it doesn't look like it's typically needed?

I just read this:
Returns a string with backslashes before characters that need to be quoted
in database queries etc. These characters are single quote ('), double quote
("), backslash (\) and NUL (the NULL byte).
An example use of addslashes() is when you're entering data into a database.
For example, to insert the name O'reilly into a database, you will need to
escape it. Most databases do this with a \ which would mean O\'reilly. This
would only be to get the data into the database, the extra \ will not be
inserted. Having the PHP directive magic_quotes_sybase set to on will mean '
is instead escaped with another '.

1. Why would I need to escape the string "O'Reilly"? I don't understand
this statement. I have used quotes in my databases before w/o every
bothering with addslahses - is that because magic_quotes_gpc was set to on?
Is this a new vs. old thing where you used to need to addslashes, but you
don't any mor eb/c of magic_quotes?

2. If magic_quotes is turned on (I have verified this) do I need addslashes
at all?

From PHP.net:
The PHP directive magic_quotes_gpc is on by default, and it essentially
runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes()
on strings that have already been escaped with magic_quotes_gpc as you'll
then do double escaping. The function get_magic_quotes_gpc() may come in
handy for checking this.

This came about b/c we're getting slashes everywhere we have text. So, I
guess I either need to remove the addslashes or put in stripslashes before
we pull text. I'm just curious if I actually need to stripslashes or if I
can just remove the addslashes?

Thanks for clarifying,

Jon


TOPICS
Server side applications
395
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 5 Replies 5
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Nov 30, 2006 Nov 30, 2006
.oO(crash)

>Addslashes - it doesn't look like it's typically needed?

I've never used it. And most likely I never will.

>I just read this:
>Returns a string with backslashes before characters that need to be quoted
>in database queries etc. [...]
>
>1. Why would I need to escape the string "O'Reilly"?

Because of the single quote. In an SQL query strings are delimited with
single quotes. If the string itself contains one it has to be escaped.
Improper escaping leads to SQL injection vulnerabilities.

>I don't understand
>this statement. I have used quotes in my databases before w/o every
>bothering with addslahses - is that because magic_quotes_gpc was set to on?

Most likely, but magic quotes are a broken concept and will be removed
in PHP6. Additionally using addslashes() might not be enough to escape
all chars that could be troublesome in a query. That's why functions
like mysql_real_escape_string() exist (have a look at the manual which
chars are escaped by these functions - addslashes() doesn't cover them
all!).

>Is this a new vs. old thing where you used to need to addslashes, but you
>don't any mor eb/c of magic_quotes?

Nothing new, but things will change in the near future.

>2. If magic_quotes is turned on (I have verified this) do I need addslashes
>at all?

No. But the preferred way is:

1. Turn magic quotes off completely on your own server.
2. If it's not possible to turn them off on the remote machine as well,
then always check get_magic_quotes_gpc() when importing GPC data to see
whether they're enabled or not and call stripslashes() if necessary.
3. Use the appropriate DB-specific escaping function or prepared
statements (as provided by MySQLi or PDO).

Point 1 is definitely the way to go. Point 2 makes sure that you always
deal with the raw data inside your application, which don't have some
obscure and incomplete escaping on it. Finally point 3 ensures safety
when inserting the stuff into a DB.

HTH
Micha
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Nov 30, 2006 Nov 30, 2006
thanks micha, printing out to read at home - getting kinda nasty round these
parts. i might be reading it by candlelight. :O)

have a good one.

Jon
"Michael Fesser" <netizen@gmx.de> wrote in message
news:6flum2tmrrbgsjcjq3jittc4h04bt6mvht@4ax.com...
> .oO(crash)
>
>>Addslashes - it doesn't look like it's typically needed?
>
> I've never used it. And most likely I never will.
>
>>I just read this:
>>Returns a string with backslashes before characters that need to be quoted
>>in database queries etc. [...]
>>
>>1. Why would I need to escape the string "O'Reilly"?
>
> Because of the single quote. In an SQL query strings are delimited with
> single quotes. If the string itself contains one it has to be escaped.
> Improper escaping leads to SQL injection vulnerabilities.
>
>>I don't understand
>>this statement. I have used quotes in my databases before w/o every
>>bothering with addslahses - is that because magic_quotes_gpc was set to
>>on?
>
> Most likely, but magic quotes are a broken concept and will be removed
> in PHP6. Additionally using addslashes() might not be enough to escape
> all chars that could be troublesome in a query. That's why functions
> like mysql_real_escape_string() exist (have a look at the manual which
> chars are escaped by these functions - addslashes() doesn't cover them
> all!).
>
>>Is this a new vs. old thing where you used to need to addslashes, but you
>>don't any mor eb/c of magic_quotes?
>
> Nothing new, but things will change in the near future.
>
>>2. If magic_quotes is turned on (I have verified this) do I need
>>addslashes
>>at all?
>
> No. But the preferred way is:
>
> 1. Turn magic quotes off completely on your own server.
> 2. If it's not possible to turn them off on the remote machine as well,
> then always check get_magic_quotes_gpc() when importing GPC data to see
> whether they're enabled or not and call stripslashes() if necessary.
> 3. Use the appropriate DB-specific escaping function or prepared
> statements (as provided by MySQLi or PDO).
>
> Point 1 is definitely the way to go. Point 2 makes sure that you always
> deal with the raw data inside your application, which don't have some
> obscure and incomplete escaping on it. Finally point 3 ensures safety
> when inserting the stuff into a DB.
>
> HTH
> Micha


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Dec 05, 2006 Dec 05, 2006
Micha-

Thanks for suggestions. I just now got online again (lotta snow down here)
and am implementing your suggestions..


"Michael Fesser" <netizen@gmx.de> wrote in message
news:6flum2tmrrbgsjcjq3jittc4h04bt6mvht@4ax.com...
> .oO(crash)
>
>>Addslashes - it doesn't look like it's typically needed?
>
> I've never used it. And most likely I never will.
>
>>I just read this:
>>Returns a string with backslashes before characters that need to be quoted
>>in database queries etc. [...]
>>
>>1. Why would I need to escape the string "O'Reilly"?
>
> Because of the single quote. In an SQL query strings are delimited with
> single quotes. If the string itself contains one it has to be escaped.
> Improper escaping leads to SQL injection vulnerabilities.
>
>>I don't understand
>>this statement. I have used quotes in my databases before w/o every
>>bothering with addslahses - is that because magic_quotes_gpc was set to
>>on?
>
> Most likely, but magic quotes are a broken concept and will be removed
> in PHP6. Additionally using addslashes() might not be enough to escape
> all chars that could be troublesome in a query. That's why functions
> like mysql_real_escape_string() exist (have a look at the manual which
> chars are escaped by these functions - addslashes() doesn't cover them
> all!).
>
>>Is this a new vs. old thing where you used to need to addslashes, but you
>>don't any mor eb/c of magic_quotes?
>
> Nothing new, but things will change in the near future.
>
>>2. If magic_quotes is turned on (I have verified this) do I need
>>addslashes
>>at all?
>
> No. But the preferred way is:
>
> 1. Turn magic quotes off completely on your own server.
> 2. If it's not possible to turn them off on the remote machine as well,
> then always check get_magic_quotes_gpc() when importing GPC data to see
> whether they're enabled or not and call stripslashes() if necessary.
> 3. Use the appropriate DB-specific escaping function or prepared
> statements (as provided by MySQLi or PDO).
>
> Point 1 is definitely the way to go. Point 2 makes sure that you always
> deal with the raw data inside your application, which don't have some
> obscure and incomplete escaping on it. Finally point 3 ensures safety
> when inserting the stuff into a DB.
>
> HTH
> Micha


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Dec 05, 2006 Dec 05, 2006
.oO(crash)

>Thanks for suggestions. I just now got online again (lotta snow down here)

Snow on your network cable? Something like "white noise" ... ;-)

Micha
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Dec 06, 2006 Dec 06, 2006
LATEST
:o) There was so much white noise I had problems interfacing with the
porch!

luckily, i was able to defrag much of it by re-aligning the noise into
clusters and outputting them at my kids...


"Michael Fesser" <netizen@gmx.de> wrote in message
news:8d2cn2tmmn3gkqq1df41o9s7cm5rtq9qfu@4ax.com...
> .oO(crash)
>
>>Thanks for suggestions. I just now got online again (lotta snow down here)
>
> Snow on your network cable? Something like "white noise" ... ;-)
>
> Micha


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices