Rommeo Posted January 5, 2011 Share Posted January 5, 2011 I m just trying values for my DB, I have noticed that addslashes does not work, I just entered the text = " Is your name O'reilly?" as in php manual, and the data in the db is : "Is your name O'reilly?" without any slashes. And my query is as follows; $pnote= addslashes(nl2br($pnote)); mysql_query("INSERT INTO notes (note,rid,addeddate ) VALUES ( '$pnote','$rid','$mytime') ") || die ( mysql_error() ); It also does not give me any error, what can cause this ? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 5, 2011 Share Posted January 5, 2011 The \ escape characters themselves are NOT inserted into the database. You should also be using mysql_real_escape_string() instead of addslashes() and you should be using nl2br() when you display the data, not when you insert it into your database. Quote Link to comment Share on other sites More sharing options...
Rommeo Posted January 5, 2011 Author Share Posted January 5, 2011 So I do not need to use stripslashes while printing the data also ? Does it cause any problems ? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 5, 2011 Share Posted January 5, 2011 If you are escaping the data correctly, only once, when inserting it, the \ characters are not in the actual data and you should not need to do anything when retrieving the data. If you do have the \ characters in the actual data and you only escaped the data once yourself in your code or you get some \ characters added when you retrieve the data, see this link - http://www.php.net/manual/en/security.magicquotes.php Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 5, 2011 Share Posted January 5, 2011 So I do not need to use stripslashes while printing the data also ? Does it cause any problems ? If you are on a server where magic_quotes is turned on the slashes are automatically added to user input. In those instances you should turn off magic_quotes if you have access to do so. If you don't have access to turn off magic_quotes, then you should use strip_slashes() on user input THEN run mysql_real_escape_string() before you insert int he database. The rule I always try to follow is to store data in its native/raw format. Then modify the data based on how I need it. For example, by using nl2br() when you output to the screen you maintain the original line breaks. That way you can still use the native content stored int he database to populate a textarea for editing purposes. Quote Link to comment Share on other sites More sharing options...
Rommeo Posted January 5, 2011 Author Share Posted January 5, 2011 I see now, So I m gonna turn off the magic_quotes and store the data like ; mysql_real_escape_string(strip_tags(nl2br($text),"<br"))* *not using addslashes then, order is correct I guess ? and while retrieving ; echo stripslashes($text) // just stripslashes is enough ? hoping that I m not missing anything for security purposes ? Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 5, 2011 Share Posted January 5, 2011 I see now, So I m gonna turn off the magic_quotes and store the data like ; mysql_real_escape_string(strip_tags(nl2br($text),"<br"))* *not using addslashes then, order is correct I guess ? and while retrieving ; echo $text // no need to do anything. hoping that I m not missing anything for security purposes ? Not quite. If you turn off magic_quotes there is no need to strip_tags on user input and you don't want to add BR tags to the data you are storing. You add the BR tags when displayng the information Storing the data: $dbSafeInput = mysql_real_escape_string($_POST['userInput']); Displaying the input (if it may contain line breaks echo nl2br($inputFromDB); But, if you were displaying that same data in a textarea to be edited then you wouldn't use nl2br <textarea><?php echo $inputFromDB; ?></textarea> Quote Link to comment Share on other sites More sharing options...
Rommeo Posted January 5, 2011 Author Share Posted January 5, 2011 Not quite. If you turn off magic_quotes there is no need to strip_tags on user input and you don't want to add BR tags to the data you are storing. You add the BR tags when displayng the information if I dont use strip_tags, how can I prevent users to send textareas or other html codes in postings,since I just want to allow br tags and not any other things Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 5, 2011 Share Posted January 5, 2011 Not quite. If you turn off magic_quotes there is no need to strip_tags on user input and you don't want to add BR tags to the data you are storing. You add the BR tags when displayng the information if I dont use strip_tags, how can I prevent users to send textareas or other html codes in postings,since I just want to allow br tags and not any other things Sorry, I mistook that for strip_slashes, but my reply still holds true. Unless there is a business need to remove those tags - let the user submit them and store the data in the database exactly as the user submitted it (escaping for SQL Injection of course). Then modify the data when you display it. In this instance I wouldn't use strip_tags(), instead I would use htmlentities() when I display the text to convert any HTML code so it is displayed on the page and not interpreted.. That way if a user inputs "<b>my name</b>", the output - as displayed on screen would be "<b>my name</b>" not "my name". There may be a reason why someone would enter html code as a value and using strip_tags would remove that data. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.