View Full Version : A few questions.

07-23-2007, 07:28 AM
- Why when i add slashes before i use a quary and then remove them, i still have slashes when i output the variable?
- Does any1 has a guide about checking what characters the user has typed so i could give an error if the user type quotes or slashes?


07-23-2007, 07:31 AM
I think the best option here would be to use mysql_real_escape_string() this way slashes and quotes are escaped before going into the database. No need to tell the user they can't type something. Besides thats just not user friendly. When you retrieve the data it should come back just fine, just as if the quotes and slashes were never escaped. This is how mysql works when you use the mysql_real_escape_string function. Its suggested that if magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice. Here is an example that checks to see if magic_quotes is enabled. If it is then it applies strip slashes to the data, then it use mysql_real_escape_string on the data.

function escape_data ($data) {
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
return mysql_real_escape_string ($data);

07-23-2007, 07:58 AM
Then if i still see slashes, it means it has already been escaped before
i used add slashes?
why can't i just leave it if it has already been escaped
instead of using mysql_real_escape_string?

and about the charectors check, i also need it for forms where the user is suppost to type only numbers or things such as email.

one last thing about cookies. if i insert the username into a cookie
and then retrieve it back, it's still escaped? since it says

thx again.

07-23-2007, 05:41 PM
See thats the thing you ONLY escape the data if its going into the database. You aren't going to store the cookie in the data base. Using mysql_real_escape_string is the secure way of storing data in a database to prevent mysql injection. http://us2.php.net/mysql_real_escape_string