TonyP wrote:

Ive just recently learned of the stripslash function.

What possible use could that have?

echoing data to the browser that has been run thru [man]addslashes[/man] (either manually or automagically via Magic Quotes)

Cool, thats cleared it up thanks, i was extreamly confused.

Having to use stripslashes is generally an indication of an error somewhere. I never use it.

Having magic quotes enabled is usually going to cause data corruption; I recommend you don't use it.

Mark

MarkR wrote:

Having to use stripslashes is generally an indication of an error somewhere.

i don't agree with this at all. if you are building a portable distributed app that interacts with a database then you may well have to use [man]stripslashes[/man] under certain circumstances. lets say part of your app is to gather form data and then display it back to the user before it is inserted into a database. again, if you wish your app to be portable then you would use [man]get_magic_quotes_gpc[/man] to see if magic quotes is on and if it is then use [man]stripslashes[/man] before displaying. this does not necessarily indicate an error but simply good programming practice.

The reason I think it's an error, is that rather than using stripslashes, you shouldn't have used addslashes in the first place. magic_quotes_gpc is naive and will break things - therefore you should simply INSIST that it's turned off.

Indeed, generally speaking you should prefer to do as little transformations to your data as possible. It will introduce potential bugs.

That's why I prefer to use prepared queries everywhere, and forget about escaping strings for SQL (and especially forget about addslashes).

In fact, in my dev box I could have

disable_functions=addslashes,stripslashes

in php.ini and my apps would still work.

Although I sometimes run applications written by other people here - therefore I don't.

Mark

hi

when you say you use prepared queries what do you mean exactly ?

this would be interesting as i find i have to use addslashes or the text entering the database with apostrophes gets broken up

I meant prepared statements, you can use them for example, with PDO, PEAR:B or mysqli

It's a method which lets you specify the parameters separately to the query, example (PDO)

// $db is a PDO connection object.
                $sth = $db->prepare("SELECT * FROM vwUserForumAccess WHERE " .
                        " forum_id=? AND user_id=?");
                $sth->execute(array($forum_id, $user_id));
                $row = $sth->fetch(PDO::FETCH_ASSOC);
// etc.

Mark