addslashes: local testing server vs remote

ATS16805

hello. going from help i received recently regarding passing strings to MySQL db while avoiding the "error in your SQL syntax" fumble when a name such as O'Connor or anything w/ an apostropy and/ or other punctuation, such as he's in trouble, and she's very angry-- lookout, y'all! is entered as $POST data passed in a mysql_query(), my SQL variable looks like this:

$insertquery = "INSERT INTO interest SET
F_NAME = '" . addslashes($_POST['F_NAME']) . "',
L_NAME = '" . addslashes($_POST['L_NAME']) . "',
EMAIL = '" . addslashes($_POST['EMAIL']) . "',
PHONE = '" . addslashes($_POST['PHONE']) . "',
REMARK = '" . addslashes($_POST['REMARK']) . "'";

this code works perfectly on my local testing server, such that the above text, entered as $_POST data goes into my local MySQL db as "O'Connor", and "he's in trouble, and she's very angry-- lookout, y'all!". however, using the same code on my hosting server will enter the following into the MySQL table fields "O\'connor" and "he\'s in trouble, and she\'s very angry-- lookout y\'all!".

so, how then should my code be modified so that i don't get a SQL syntax error, yet i don't get those slashes in my db either?

bpat1434

Well, you could always use: [man]mysql_escape_string/man.

But actually what is being input is perfectly fine. My guess would be you're running windows on your local machine, and *nix on the server. If you're concerned about the output for the page display, then just send all of your output through the [man]stripslashes/man function which gets rid of those annoying slashes....

Then again, you could always use [man]htmlspecialchars/man if you really wanted....

~Brett

ATS16805

hey, thanks!

so, for screen output, stripslashes() is a safe way to go in virtually any situation? and i would just put that in something like this?:

echo stripslashes($htmloutput);

you're right about Windows vs *nix, btw.

bpat1434

pretty much. You got the idea.

~Brett

MarkR

Stripslashes is a really bad idea, as you will corrupt your data in the event that it contains legitimate slashes.

addslashes() and stripslashes() are functions which should not be used, in the general case.

addslashes() is not the correct way to escape strings into mysql - use mysql_escape_string() as cited above.

Perhaps your problem is that they have magic_quotes_runtime or gpc enabled.

These must always be turned off; having them on will wreck even the most vigilant program.

I recommend that your code checks for magic quotes and refuses to run with them on, as it will always prove unworkable having "magic" quotes constantly corrupting your data at arbritary points.

Mark

Roger_Ramjet

If you read the manual on mysql_real_escape_string you will find both an explanation of the security issues involved in accepting user input, and 'best practice' code for a function that will overcome both the threat from an sql injection attack and the problem of handling magic quotes. Use that function ALWAYS. Then you will end up with 'clean' data in your database that you can output to html with no problems.

krotkruton

I believe Roger meant to link to the mysql_real_escape_string instead of the join manual that he links to...

Roger_Ramjet

Quite right kk, whoops, me bad.

laserlight

Stripslashes is a really bad idea, as you will corrupt your data in the event that it contains legitimate slashes.

One might need to use stripslashes() if magic_quotes_gpc is 1, since refusing to run when magic_quotes_gpc is 1 may not always be a feasible solution.