On Wed, 30 Jun 2004 11:00:19 -0700, Joel Kitching <[EMAIL PROTECTED]> wrote: > > > 1. addslashes() is not as robust as other solutions like > > mysql_escape_string(). > > What exactly is the difference between the two?
mysql_escape_string() and mysql_real_escape_string() do the escaping as mysql needs it. In addition, you can use PEAR::DB's quoteSmart to quote and it will change depending on the DB backend you're using. > > > 2. in either case the slashes will be non-existant when the data is > > actually inserted into the database. > > > > for example: > > > > $mystring = "hello here is my string. it has an ' (apostrophe) in it."; > > > > $sql = " > > INSERT INTO data > > (thestring) > > VALUES ('$mystring')"; > > > > when then is parsed it will look like this: > > > > INSERT INTO data > > (thestring) > > VALUES ('hello here is my string. is has an ' (apostrophe) in > > it.') > > > > as you can see the ' in the original string is going to cause a problem. > > by escaping it with mysql_escape_string() (or another comparable > > function) you'll get the following: > > > > INSERT INTO data > > (thestring) > > VALUES ('hello here is my string. is has an \' (apostrophe) in > > it.') > > > > this string, although it now contains a slash that we originally did not > > want, this slash not exist once the data is actually inserted into the > > database. it's merely there to tell the database "hey, please ignore the > > ' that comes directly after me". > > > > soooo... when you pull the data *out* of the database the \ will not > > exist and you therefore do not need to perform stripslashes(). > > I tried using addslashes() on the string in the query, and then > SELECTing it, and the slashes are included. Does > mysql_escape_string() not do this? > Then you must be getting clashes added twice. Have you tried looking at the string before running addslashes on it? After running addslashes? You likely have magic_quotes_gpc turned on. The overhwelming majority of seasoned PHP developers turn this off as it's more of a nuisance. If you need more info, search the list archives. > > > > and now to the second part... why use htmlentities()? that is for > > displaying data within a form element OR (i hope i have this right) > > preventing XSS (Cross Site Scripting attacks). > > > > hope this helps! > > chris. > > > > > > -- > Joel Kitching > http://midgardmanga.keenspace.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > !DSPAM:40e2fde1274111127263623! > > -- paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php