addslashes() and stripslashes()

johnie

Hi. I'm a little confused here.
Do i always have to use addslashes() when entering text into a db?
And then use stripslashes() when i want to display it?

Thanks

Roscoe

If you cannot control the data that's being entered (i.e. you don't know beforehand what the data is going to be, such as user input), you should use addslashes() when you enter it into the database and stripslashes() when you extract it again. This is to prevent special characters in the input from messing up your PHP code. When you display the data, you should use htmlspecialchars, to prevent reserved characters from messing with your HTML code.

ahundiak

It's actually a bit more complicated that that. Depends on what database you are using and it depends on some global settings. The basic problem is that adding slashes to database data in not standard sql but the developers of php decided to do it anyways.

I think the only real way to understand what's happening is to carefully go through the comments in the manual and pick out what applies to you.

http://www.php.net/manual/en/function.addslashes.php

johnie

That's where i went through and got completely confused 🙂

mogster

If you have problems with the addslashes/stripslashes, there could be the old magic quotes thing making it difficult.

magic_quotes_gpc is an ini-setting defaulting to on in php, and will automatically add slashes to any gpc (GET, POST, COOKIE) vars.
It's actually a nice thing, but not if you're adding extra slashes :p

So if your'e ending up with \" and \\' , this may be the prob.

I'm using a dbsafe-function to manipulate the dbtext before insert:

function dbIn($text) {
$text = strip_tags($text);
$text = str_replace(chr(10),"",$text);
$text = str_replace(chr(13), "<br>", $text);
$text = addslashes($text);
return($text);
}

This just strip all tags, but you could move the strip_tags() down to the bottom and rename it htmlspecialchars($text) if you like the code to show (but not run!).

knutm

laserlight

Well, I think that one should store into the database without using htmlspecialchars() on the data, though strip_tags() probably is ok if you dont want html tags anyway.

As for escaping quotes, one problem with addslashes() would be that for some database management systems, one should escape quotes by adding an extra quote, i.e. ' => ''

Still, mysql treats \' as an escaped quote, so I use:

//for storage to database
function prepIn($input) {
	$input = trim($input);
	if (!get_magic_quotes_gpc()) {
		return addslashes($input);
	}
	return $input;
}

which seems to work.

then on output I just use stripslashes() then if needed htmlspecialchars(), without having to check for magic_quotes_gpc
If the input should have been multi-line, and the output as well, then nl2br() is used too.