i've read http://www.phpbuilder.com/board/search.php?s=&action=showresults&searchid=72091&sortby=lastpost&sortorder=descending

i've been all over http://www.php.net

i've read the relevant sections in all my php and mysql books.

but...

i find contradictions, so...

i was wondering if someone here could straighten this out for me please?

with get_magic_quotes_gpc() == 1, no need to addslashes from gpc, right?

with get_magic_quotes_runtime() == 0, need to addslashes during runtime, right?

what about stripslashes?

assuming i addslashes (or magic_quotes adds the slashes), do i need to stripslashes after taking info out of mysql database?

i see that i need to stripslashes if taking in form data only to spit it back to the screen, no mysql involved.

also, are the slashes actually stored in mysql database?

:😕: too many sources saying different things.

    First note that magic_quotes_gpc and magic_quotes_runtime are seperate beasts alltogether. Let's only worry about GPC.

    If magic_quotes_gpc is on, it will essentially run addslashes() on all your GPC data. So yes, you're right. Regarding stripslashes(), you do not need to strip slashes on data coming out of the database. The slashes are not stored in the database, they're only there to help put it in. On a related note, if you addslashes to already magically quoted data, you'll get a lot of \\' which will look like \' in the database, that's bad.

      thanks. i'm also using addslashes() because my get_magic_quotes_runtime == 0 and my script is dumping data into mysql that does not come from gcp.

      is there no need to stripslashes from data retrieved from mysql in this case also?

      The slashes are not stored in the database, they're only there to help put it in.

      does this mean that although i can see the slashes when i look at my data in the db, they are not actually stored in the db?

        If you see \' and \" in the database, it means somehow you added slashes twice. Go test it; print some data from your database and see what happens...

          thanks. testing now... it definitely helps to know that i should not see \' and \" in the db if i do this right.

          btw, other than what addslashes() slashes, are there any other dangerous chars that i should watch out for in a string?

            i think i've finally got it: for those of you who may be reading this thread in search of some answers...

            addslashes info:

            if get_magic_quotes_gpc == 1, then no need to do addslashes() for gpc data.

            if get_magic_quotes_runtime == 0, then do addslashes() for runtime data if you want to add slashes.

            stripslashes info:

            if you are pulling data from the db, displaying it on screen, and get_magic_quotes_whatever == 1 or addslashes was used, no need to do stripslashes().

            if you are pulling data from a form, get_magic_quotes_gpc == 1, and you want to mirror the data back to the screen, no db involved, then do stripslashes().

            other info:

            philipolson is right: if get_magic_quotes_whatever == 1 then you will not see \' or \" in your database. you can check that slashes are there by echoing form data directly to the screen.

            also, you might not want to trust the output from phpMyAdmin v. 2.2.2 to determine if you have slashed correctly. this is because, even though you can slash correctly, phpMyAdmin 2.2.2 will display " unslashed but \ and ' will be displayed as \ and \' so look at your db through ssh instead.

            whew! i hope i got that all right. please correct me if needed.

              Write a Reply...