Hi,
Can anyone point me in the direction of a good tutorial on addslashes/stripslashes, as I have looked through the beginning PHP book but it still is not going in, I have checked out the php.net site too but I still am confused, and I want to avoid problems later on with MySQL errors.
I am using
$firstname = $HTTP_POST_VARS['firstname'];
$firstname = stripslashes($firstname);
before the data gets entered into the database, and everything is working fine. So I can't really see the need for the addslashes, because when I echo out the results with using addslashes(from the form users have just filled in) I get the results with the slashes, so is it only an advantage if you are performing queries on the database, not just entering data into it.

Sorry if this is confused, but I really am!!

Sami

Here's the deal -- addslashes escapes all special characters (like quotation marks) in a string. You're supposed to do this so you don't create problems in your SQL code.

For example:


$string = "Don't do this."

$query = "INSERT INTO tablename (colname) VALUES ('$string')";

The variable, $string, is replaced with it's value in $query. That means $query is this:

"INSERT INTO tablename (colname) VALUES ('Don't do this.')"

See the problem? That single-quote in "Don't" terminates the value string inside the query, and "t do this" is just extra junk that causes a query parse error from your database engine (e.g. MySQL).


Using addslashes() saves you from this by escaping that single quote:

$string = addslashes("Don't do this.")

$query = "INSERT INTO tablename (colname) VALUES ('$string')";


Your query is now:
"INSERT INTO tablename (colname) VALUES('Don\'t do this.')"


Problem solved.

Typically, you want to addslashes() before putting something into the database, and stripslashes() when taking it out.


The configuration setting, "magic_quotes_gpc", is ON by default, which basically runs addslashes() on all incoming form and cookie data, so you don't have to do it explicitly before inserting this data into your database.


Does this help?


Take care,

Nik
http://www.bigaction.org/

"The configuration setting, "magic_quotes_gpc", is ON by default, which basically runs addslashes() on all incoming form and cookie data, so you don't have to do it explicitly before inserting this data into your database."

Thanks Nik,
Yes that does help, what I couldn't figure out was why on my localhost everything worked fine, and the above was the reason, I have done as you said now and used addslashes() before it gets input and will run stripslashes() on SELECT queries etc

Thanks again for clearing that up,

Sami

ps. how do you turn magic_quotes_gpc off locally?

What do you mean locally?

If you mean "on my server", change the value in php.ini.

If you mean "for the currently executing script", the answer is "you can't".

magic_quotes_gpc takes effect before your PHP script begins to run. That makes sense, since it processes form input available to your script.

I suggest writing a function that replaces addslashes():

function my_addslashes($str)
{
    return get_magic_quotes_gpc()? $str : addslashes($str);
}


This function checks whether magic_quotes_gpc is set. If it is, return the string unmodified. If magic_quotes_gpc is off, return the string after processing it with addslashes().


If you need a function that de-slash-ifies form input, you can do that too:

function deslashify($str)
{
    return get_magic_quotes_gpc()? stripslashes($str) : $str;
}

This version runs stripslashes() on your string if magic_quotes_gpc is ON, and leaves it alone if it's not.

Bear in mind that you shouldn't really ever need a function like deslashify(), I just provided it for the sake of completeness and example.

Also, you should only use my_addslashes() on request input (i.e. GET, POST, and COOKIE data).

An alternative name for my_addslashes() that might be more appropriate is safe_addslashes() or protected_addslashes().



Hope this all helps,

Take care,

Nik
http://www.bigaction.org/

I am working on chapter 10s file handling.
when i create a file i wish for it to be html.
when i save the file it adds the slashes...

i am thinking maybe i should use your strip slashes.. but am unsure as to where...

Well, since the my_stripslashes() function I wrote only strips slashes on input that magic_quotes_gpc runs addslashes() on, you should call my_stripslashes() on *ALL* form input you want to remove slashes from. Period.

This makes your script portable, since you can run your script on servers where magic_quotes_gpc is on or off and your script will behave the same.

Get it?


Take care,

Nik
http://www.bigaction.org/