MYSQL and addslashes() in php question!!

Anon

hiii...i ran into a problem with my QUERY in mysql and the addslashes() function in php...heres my problem :

my query is the following:

$SQL = sprintf("INSERT INTO articles
(artName, artDate, artAuthor, artSource, artURL, active, artSum)
VALUES('%s', '%s', '%s', '%s', '%s', '%s', '%s')",addslashes($artName), addslashes($artDate), addslashes($artAuthor), addslashes($artSource),
addslashes($artURL), addslashes($active), addslashes($artSum));

$query = mysql_query($SQL);

ALL THE MYSQL TYPES FOR THE FIELDS IN THIS TABLE "articles" are text or date except for "artSum" which is a blob.

No here's the problem...when i view the date from the db that i have inserted...the only field who's slashes are striped is "artSum"..all the other fields still have their slashes...does mysql get rid of the slashes? do i need to actually call stripslashes() before i view? does the "no stripping of slashes" have to do with my field types in the db?

PLEASE IF ANYONE COULD HELP ME =(

Anon

If you do an addslashes() before you put your data into the database, then you'll have to do a stripslashes() to view your data when you pull it out of the database. All add/stripslashes() takes care of are double and single quotes. Are there even any quotes in $artSum?

You might want to look into magic_quotes in the PHP setup. You can have PHP automatically add/stripslashes for you.

Anon

thank you...i looked into magic quotes and everything is fine now...thanks for your help =)

Anon

John,

I've addressed this in threads you've posted to many times (here and devshed).

It is incorrect to say "If you do an addslashes() before you put your data into the database, then you'll have to do a stripslashes() to view your data when you pull it out of the database."

The only time you need to use stripslashes() on data queried is if the data was double escaped when inserted. This most often happens when you have magic_quotes_gpc turned on AND use addslashes() on data that was passed to the script via GET, POST or COOKIE. It can also happen if magic_quotes_runtime is on and you use addslashes() on data that was read from a DB.

Consider the following:

mysql_query("insert into table values('Ain\'t it grand')";

When you view this data in the table it will be stored as "Ain't it grand" (minus the double quotes, obviously).

When you query the database, it will be returned the same way UNLESS you have magic_quotes_runtime ON, in which case the single quote will be escaped.

OTOH, let's say you pass the value text=Ain't+it+grand to the script that does the insert.

If magic_quotes_GPC is on then you DO NOT need to use addslashes as magic_quotes_GPC will automatically add it to the incoming data. Resulting in:

Ain\'t it grand

If you do use addlashes() before the query with magic_quotes_GPC on, then the data will be double escaped:

Ain\\'t it grand

As the first \ will be escaped and the ' will be escaped. This results in the entry in the db being:

Ain\'t it grand

Which will be exactly how it is pulled. If magic_quotes_runtime is ON it will be double escaped.

If you follow the following rules you'll NEVER have to use stripslashes() on data extracted from the db:

1) Make sure magic_quotes_runtime is off, either in the php.ini file or using set_magic_quotes_runtime(0) at the beginning of the script.

2) IF magic_quotes_GPC is on, NEVER use addslashes() on incoming GET, POST and COOKIE data. Only use addslashes() on data generated inside the same script that did not have the \ escapes added manually.

3) IF magic_quotes_GPC is off, use addslashes() on all data that does not have the \ escape added manually.

A note on magic_quotes_runtime:

This, IMNSHO, should NEVER be turned on in php.ini. It is rarely useful (using a PHP script to manually transfer data from one db/table to another is about the only instance). Since this directive can be turned on manually with the set_magic_quotes_runtime() function in the rare script where it will be useful, it is not advisable to have it ON as default.

I certainly hope this clarifies things for you.

Anon

Okay. I stand corrected and have learned something. I guess the only time you really need to use stripslashes is if you want to echo something back to the user that they just typed in. Thanks.

---John Holmes...

Feyi

Can someone tell me what is the best way to program.

Say I program some website which I make available for more website owners. Some off their servers have magic_quotes on, some have it off.

When magic_quotes is on there's no need for addslashes.
When magic_quotes is off, I need to do addslashes.

When I program addslashes while magic_quotes is on, I have to stripslash when retrieving my data from the database. So it needs more code and besides it puts slashes in my database, which I consider is wrong to do.

For use on servers with magic_quotes on or off, I think there is only one way to program this correct--> addslashes and stripslashes...

Or is there another way to do it right. Is there a way to put magic_quotes on by some function when you don't have adminrights for the server, like when you're website gets hosted.