Addslashes always on?

sidsel

I noticed when I post something with a ' or " then a [/B] is always added automaticly. Is it a default php configuration or something?

LordShryku

look at addslashes()

Not a default. Just smart code. Otherwise it would bomb, thinking it was the end of a string.

sidsel

So I don't need to use addslashes when I post something to be inserted in a mysql database?

LordShryku

You don't need to. Be wary of what goes in there though. Single quotes will bomb your query, since MySQL will think that a single quote will be the end of that data being inserted.

sidsel

I think I'm a bit confused...

I have a form where anybody can post anything so I probably should use addslashes, but I can't get my sql query to fail no matter how hard I try without addslashes added.

My code looks like this:

$insert = htmlspecialchars($_POST["data"]);

mysql_query("INSERT INTO table (comment) VALUES ('$insert')", $connection);

LordShryku

htmlspecialchars effectively handles that by converting single quotes into & #039;

laserlight

The other reason is that magic_quotes_gpc is set to 1 by default, so your get, post and cookie data are escaped automatically.