addslashes vs. magic_quotes_gpc??

szym9341

I have a CMS that passes a bunch of strings. Now that I have the first "draft" done, I entered some real information with quotes and, duh, the insert doesn't work properly.

Should I enable magic_quotes_gpc or should I add the addslashes and stripslashes to every string variable? Any light on this issue will be greatly appreciated.

ahundiak

If you want to stick with SQL standards then do neither. All you really need to do is to replace each single quote with two quotes.

$data = "O'Name";  // Not insertable
$data = str_replace("'","''",$data); // Insertable

This method works with all SQL databases including mysql.

However, mysql supports the non-standard method of using back slashes to escape certain characters. For some reason, php decided to use the slash method as default. Hence the majic_quotes nonsense.

Which method to use is up to you but if you ever plan on using standard sql databases in the future then you may as well do it right.

swr

There exists [man]mysql_escape_string[/man] and similar functions for other databases that will do whatever escaping is correct for that database.

If possible, use placeholders, then you don't have to worry about escaping quotes and stuff (it'll be handled at the lower layer).

icaro

i use magic_quotes_gpc on, and if you use oracle, probally has to turn on magic_quotes_sybase too - it will replace single quote by two singles quotes (not double quote!), and this is the way to escape single quotes for oracle, like ''

if you are using another db, probally needs to turn off magic_quotes_sybase... this way php will escape single quotes by bars, like /' - used by mysql, postgresql and msql

(btw, if you do not have a clue, i am talking about php.ini)