Removing \ from PHP in an HTML page?


mysql_real_escape_string is an alternative to addslashes() in that it caters for other characters. addcslashes is another to look at.

turning magic quotes off and not replacing it with something is not recommended - not even by rob if you read his post. all he said was that it's possible. you NEED to escape user input (a rob mantra!) that's going into the database, because if you don't, your site is open for users to run their own mysql queries on your server - not something that you want.

from a visual point of view, yes, magic quotes is a pita - but it's a security measure that needs to be replaced if you disable it
 
Last edited:
mysql_real_escape_string is an alternative to addslashes() in that it caters for other characters. addcslashes is another to look at.

why would i use either of those over mysql_real_escape_string? and given the OP quite clearly has magic quotes on already, why are you recommending addslashes to him? and then having to use stripslashes on the data when outputting it? seems a strange way of doing things to me? :o

but it's a security measure that needs to be replaced if you disable it

well that goes without saying. i'm not totally insane. :p
 
OK, now I'm confused.

I certainly am too after reading this thread.

To clear everything up:

Magic Quotes
Either turn them off or remove them at the beginning of each request.

SQL injection
Use mysql_real_escape_string to prevent this (not addslashes). You should sanitise all user input (i.e. $_GET, $_POST and $_COOKIE; some $_SERVER variables are also vulnerable to exploitation) in this way before using it in a query.

Better still, use an abstraction layer, such as ezSQL or MDB2 and let that do the sanitisation for you.

array_map() is busy laughing at you. :cool:

PHP isn't my first language ok :o
 
1. addslashes is not a substitute for mysql_real_escape_string
2. Best practice is only escape input before using it in a query, so that means no magic quotes
3. Avoid all sorts of headaches by turning magic quotes off/running stripslashes on all your input if it's turned on, then using prepared statements in your SQL.
 
I think we can safely say there are several ways of protecting your site against SQL injection, and it's up to personal preference. I have heard of all these methods before, and i just chose what was easier for me when i started coding php, and i have used it ever since. Implement a solution of your choice, then do some testing.

This may help you with testing your own server for drop table scripts (etc) and help shed some light on SQL injection so you can make a more informed decision for yourself.

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
 
Back
Top Bottom