Jump to content

addslashes() function .. cannot implement in my MySQL INSERT - Why?


OldWest

Recommended Posts

I am simply trying to use stripslashes for my mysqli insert statement, and errors are driving me nuts.. I've tried several variation and pattern with apostrophes and quotes to no avail. Should I even be using stripslashes to clean my data? Or is there a better function?

 

Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\php\simple_classifieds\add_posting.php on line 57

 

      $query = "INSERT INTO Postings (id, city_id, title, description) VALUES
('','$_POST[city]','" .  stripslashes($_POST[title])  . "','$_POST[description]')" or mysqli_error();

Link to comment
Share on other sites

For reference, here is the working code:

$query = "INSERT INTO Postings (id, city_id, title, description) VALUES
('','$_POST[city]',   	'" . addslashes($_POST['title'])  . "'   ,'" . addslashes($_POST['description'])  . "')" or mysqli_error();

 

Link to comment
Share on other sites

Please don't use addslashes() to escape data being put into a query. It is possible to use character encoded data that will allow quotes to be injected into a query that will pass right through addslashes().

 

This is why magic_quotes_gpc (which simply uses addslashes() internally) is being removed from php and why the the mysql(i)_real_escape_string() function exists (it takes into account character encoding when escaping data.)

 

See this link for a demonstration of how addslashes() can be bypassed - http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

 

Edit: And in fact there is a link in that information to an article that demonstrates under what conditions mysql_real_escape_string() can be bypassed. This mysql_real_escape_string bypass was apparent corrected in php 5.2.3 -

Since PHP 5.2.3, it is possible to use mysql_set_charset() which is respected by mysql_real_escape_string().

Link to comment
Share on other sites

PFMaBiSmAd, thanks for the critique. i think i read about that deprecation somewhere on that addslashes().. the interesting thing is my form could not submit if i had any apostrophes, quotes, etc in my fields .. and by adding addslashes(), my submission would pass w/out errors.. but i guess thats even more dangerous off the top!

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.