View Full Version : Resolved safely adding to a database: mysql_real_escape_string, stripslashes?

02-25-2009, 06:29 PM

I have been using stripslashes() in the following way for all of my SQL queries:

$product_name = stripslashes($_POST['product_name']);

I recently came across mysql_real_escape_string. Is it neccessary to use this as well as stripslashes? Or is it one or the other?

Are there any other functions that should be used before inserting variables into an SQL query?

02-25-2009, 07:02 PM
See example 3 on the mysql_real_escape_string man page (http://us2.php.net/mysql_real_escape_string) for best practices.

02-25-2009, 11:50 PM
To extend you're actual question, yes you do.
The problem is that mysql_real_escape_string (or the other DB sanitizing methods) are not sensitive to magic_quotes_gpc. For this reason, if you don't perform a stripslashes on it before sanitizing it, it will result in unwanted slashes.

// user submitted name: O'Neil
// With magic_quotes_gpc enabled:
print $_POST['name']; // O\'Neil
print mysql_real_escape_string($_POST['name']); // O\\\'Neil <-- Bad to have.

So, you need to strip the slashes added by magic_quotes_gpc which removes the escape sequence changing O\'Neil to O'Neil. MySQL_real_escape_string from this point takes care of escaping the slashes (and other characters) to result in O\'Neil which is what you want.

I have a tutorial in the snippets as well for GPC stripping at a global level. And as I mention in it (its a long block of code), you can do it in as few as... 5 lines of code I think it was, or 8, one of the two.

02-26-2009, 12:20 AM
so are you saying that this would not work because extra slashes would be added?

$data = addslashes($data);
$data = mysql_real_escape_string($data);


02-26-2009, 12:25 AM
Don't mistaken me, it will still work. The data just would not be desireable.
The above code would first addslashes to the data, and then it would be escaped by the mysql_real_escape_string. That will always result in O\\\'Neil, and every time data is selected and inserted (minus the possibility of magic_quotes_runtime), you will add one more escape sequence. If you're magic_quotes_runtime is enabled, it would double that up again.
With that note, also set_magic_quotes_runtime(0). This can be edited on a runtime basis and will prevent escaping of data coming from external resources such as files and sql.

02-26-2009, 12:39 AM
I'm a bit confused..

are you saying that you're supposed to do this to add data:

$data = addslashes($data);
$data = mysql_real_escape_string($data);

and then when you retrieve data from the database, do this:

//get the data and store it in $data
$data = stipslashes($data)

What's the standard way of doing things?

02-26-2009, 12:52 AM
Other way around, always strip, then escape.

if (@get_magic_quotes_gpc())
$data = stripslashes($data); // Removes magic_quotes_gpc slashes
$data = mysql_real_escape_string($data);

This is especially important since PHP6 will officially remove magic_quotes_gpc from their settings and can no longer be relied on (finally :)). The @ is simply used because I'm not certain if PHP6 will deprecate the get_magic_quotes_gpc function or if they will simply remove it. Either way, this code should still work in PHP6 and will fix it for PHP4 and 5.