General Programming Help
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
 
User Name:
Password:
Remember me
 



Go Back   Dev Articles Community ForumsProgrammingGeneral Programming Help

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Display Modes
 
Unread Dev Articles Community Forums Sponsor:
  #1  
Old October 24th, 2002, 12:47 PM
Taelo Taelo is offline
5B's
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: PC, FL
Posts: 366 Taelo User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 h 30 m 59 sec
Reputation Power: 16
when to add/strip slashes

Can someone elaborate when I should/should not be using stripslashes and addslashes?

Reply With Quote
  #2  
Old October 24th, 2002, 04:48 PM
crazytrain81 crazytrain81 is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2002
Posts: 232 crazytrain81 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 17
You want to use addslashes anytime you are inserting a variable into a database, because if you do not, you will end up with a failed query if there are any characters that need to be escaped (like ' " ) , ) within the variable.

You use stripslashes after you retrieve the data, and use it before displaying the output.

Reply With Quote
  #3  
Old October 27th, 2002, 10:24 AM
OKrogius OKrogius is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Posts: 8 OKrogius User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Quote:
Originally posted by crazytrain81
You want to use addslashes anytime you are inserting a variable into a database, because if you do not, you will end up with a failed query if there are any characters that need to be escaped (like ' " ) , ) within the variable.

You use stripslashes after you retrieve the data, and use it before displaying the output.


You should NEVER use stripslashes(), period. Absolutely no reason to. The only thing you should do is use addslashes only if magic_quotes_gpc() is at 0.

Last edited by OKrogius : October 27th, 2002 at 10:23 PM.

Reply With Quote
  #4  
Old October 27th, 2002, 11:50 AM
Taelo Taelo is offline
5B's
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: PC, FL
Posts: 366 Taelo User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 h 30 m 59 sec
Reputation Power: 16
maybe Ben will post on this.,...he seems to know the right answer

Reply With Quote
  #5  
Old October 27th, 2002, 11:55 AM
Lindset Lindset is offline
weirdomoderator
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Jun 2002
Location: Alta, Norway
Posts: 370 Lindset User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 17
Send a message via ICQ to Lindset Send a message via AIM to Lindset
Quote:
Originally posted by OKrogius


Provided you are a good coder who knows what you're doing you should NEVER use stripslashes.

The only thing you should do is use addslashes ONLY if magic_quotes_gpc() is at 0.


Care to elaborate on why you think one should never use stripslashes?
__________________
Best Regards,
Håvard Lindset

Reply With Quote
  #6  
Old October 27th, 2002, 04:47 PM
Ben Rowe
Guest
Dev Articles Newbie (0 - 499 posts)
 
Posts: n/a  
Time spent in forums:
Reputation Power:
yes, i would also like to know why you never need to use stripslashes?

Reply With Quote
  #7  
Old October 27th, 2002, 05:50 PM
jpenn jpenn is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: Washington, DC
Posts: 317 jpenn User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 m 3 sec
Reputation Power: 16
Taelo,
Use addslashes() when MQ is set to off and you are inserting data in your DB or writing to a file. Avoid using addslashes() when MQ is set to on.

When retrieving your data from your DB (or file), run stripslashes() upon retreiving the variable to remove any escapes that were added in the DB (or file) variable insersion.

PHP Code:
 $data stripslashes$db_data );

$data stripslashes$file_data );

echo 
stripslashes$db_data );

echo 
stripslashes$file_data ); 


OKrogius,
You are in this community telling someone that if they were a good coder they would'nt have to use stripslashes(), insinuating that you are a good code ->

For one, to snap off typing at someone like that shows how ignorant you are...

Second, if you are insinuating that you are a good coder, you might wanna start re-thinking what you wanna do with your career as there is no room for a smart a s s like you in our development world...

Third, post why you are not suppose to use stripslashes(), you can post it, your freinds can post it, it don't matter who posts it - I will be glad to show whoever why they are wrong...

Reply With Quote
  #8  
Old October 27th, 2002, 07:13 PM
Taelo Taelo is offline
5B's
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: PC, FL
Posts: 366 Taelo User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 h 30 m 59 sec
Reputation Power: 16
ok I checked my php.ini and Magic quotes is set to Off,...now

let me ask another silly question,...I only need to addslashes to strings correct?


and one final question,...is it better to run with magic quotes on? or use add/stripslashes in my code?


-- Jason

Reply With Quote
  #9  
Old October 27th, 2002, 10:18 PM
OKrogius OKrogius is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Posts: 8 OKrogius User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Quote:
Originally posted by Lindset


Care to elaborate on why you think one should never use stripslashes?


If you used addslashes() correctly, there should be no reason you need to strip anything . Something you might find worth reading - http://www.pinkgoblin.com/quotesarticle.php

Quick recap why stripslashes() shouldn't be used:
If ...gpc is enabled you shouldn't run addslashes(), that will add an extra set of slahes you don't want. If ...gpc() is off, you should add one set of slashes, and only one. Provided addslashes() has been used apropriately contents of your database should never have slashes in them.

Why?
CORRECT - insert into table set column='it\\'s fun'; will place "it's fun" in your database
WRONG - insert into table set column='it\\\'s fun'; will place "it\\'s fun" in your database

If anything in your database has slashes in it due to addslashes() used when entering it there - don't try to make your scripts slower or more complex then they have to be. Look where you have extra unneeded addslashes() in the beginning and fix that, don't add more stripslashes() at the end.

How do you tell when to add slashes? Read the article or see below.

Coding with magic_quotes_gpc is a more of a preference imho. But to achieve maximum portability use this function on all get, post, and cookie values when you use them.

PHP Code:
function add_slashes($string) {  
  if (
get_magic_quotes_gpc()==1) {  
    return ( 
$string );  
  } else {  
    return ( 
addslashes $string ) );  
  }  



Jpen, while i might not have been in the best mood to express my opinion I"m sure you have bad days too . Aplogize, if I get on your foot, that wasn't my intention; hope no hard feelings left.

Last edited by OKrogius : October 27th, 2002 at 10:36 PM.

Reply With Quote
  #10  
Old October 28th, 2002, 01:01 AM
jpenn jpenn is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: Washington, DC
Posts: 317 jpenn User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 m 3 sec
Reputation Power: 16
Quote:
Jpen, while i might not have been in the best mood to express my opinion I"m sure you have bad days too . Aplogize, if I get on your foot, that wasn't my intention; hope no hard feelings left.

No hard feelings at all - to apologize for the comments you made shows that you are a good person.......

Now, on to the article that you posted for review ->

While mq is a pain in the but, some people have no option but to deal with it. stripslashes() must be used if mq is turned on and the ini_set() feature is disabled by the host and you are working with your superglobals: $_POST, $_REQUEST, etc... Example, if I submit a string as this -> This is Joe's Phone Number <- the $_POST will come in as -> This is Joe\'s Phone Number <- a prime example of where stripslashes() need to be used...

So, what happens if a user submits this -> C:\ <- and you run stripslashes() automatically, it will strip the backslash in mistake. With mq set to 'on', it will not strip the backslash in mistake.

MQ's are a pain in the but as I said earlier, but some do not have the option to adjust/change this setting, so the never use stripslashes() statement made in the article is an aronious one and should'nt be taken seriously....

P.S. In that article under final word, set_magic_quotes_runtime does not work on all configurations. Here is a better solution ->
PHP Code:
if ( ( bool ) ini_get'magic_quotes_runtime' ) )
    {
    
ini_set'magic_quotes_runtime');


The above will turn it off at script runtime if it is set to on, but only if the ini_set() feature is available...

Reply With Quote
  #11  
Old October 28th, 2002, 06:25 AM
OKrogius OKrogius is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Posts: 8 OKrogius User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Quote:
Originally posted by jpenn

No hard feelings at all - to apologize for the comments you made shows that you are a good person.......

Now, on to the article that you posted for review ->

While mq is a pain in the but, some people have no option but to deal with it. stripslashes() must be used if mq is turned on and the ini_set() feature is disabled by the host and you are working with your superglobals: $_POST, $_REQUEST, etc... Example, if I submit a string as this -> This is Joe's Phone Number <- the $_POST will come in as -> This is Joe\'s Phone Number <- a prime example of where stripslashes() need to be used...

So, what happens if a user submits this -> C:\ <- and you run stripslashes() automatically, it will strip the backslash in mistake. With mq set to 'on', it will not strip the backslash in mistake.

MQ's are a pain in the but as I said earlier, but some do not have the option to adjust/change this setting, so the never use stripslashes() statement made in the article is an aronious one and should'nt be taken seriously....

P.S. In that article under final word, set_magic_quotes_runtime does not work on all configurations. Here is a better solution ->
PHP Code:
if ( ( bool ) ini_get'magic_quotes_runtime' ) )
    {
    
ini_set'magic_quotes_runtime');


The above will turn it off at script runtime if it is set to on, but only if the ini_set() feature is available...



Note: I'm not interested in debating the article I posted. There are points in there which I don't agree with entirely. My main point for posting it is it illustrates why stripslashes() shouldn't be used, which is what I'm convincing to you here.

I never suggested using set_magic_quotes_gpc() as it can be disabled via php.ini. get_magic_quotes_gpc() will always work and using that you can easily decide when to addslashes. magic_quotes_runtime() is enabled on only every hundredth computer, thank god. The prime worry should be the gpc. GPC does affect the insert/update queries as you're doing it from get or post. But gpc does NOT affect when you pull your info from a database. Therefore if you get in right (for which you can use the little snippet I pasted in my previous post), you should have no issues getting it out.

stripslashes() - evil and useless (unless you are a one in a million person who somehow has mq_runtime enabled, which needs to be removed from php overall imho)

Last edited by OKrogius : October 28th, 2002 at 06:29 AM.

Reply With Quote
  #12  
Old October 28th, 2002, 09:26 AM
crazytrain81 crazytrain81 is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2002
Posts: 232 crazytrain81 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 17
Taelo, to answer your question, if magic quotes gpc is off, you will need to addslashes when insering data, and stripslashes when outputting it. Regardless of the silly debate over the merits of the function versus using magic quotes gpc, your situation requires you use stripslashes =)

OKrogius, thank you for the input, but I'm perfectly aware of the functions for using, and the behaviors accompanied by quotes in php and sql. Sorry for leaving out "if you don't have magic quotes gpc enabled" in my original post, but the fact he asked suggested to me that he had a problem relating to quotes and needed to use add/strip slashes.

Reply With Quote
  #13  
Old October 28th, 2002, 10:54 AM
Taelo Taelo is offline
5B's
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: PC, FL
Posts: 366 Taelo User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 h 30 m 59 sec
Reputation Power: 16
Thanks Crazy,...now here is a good one,....check this out...

mqgpc is off.
addslashes was used when the data went in to the db

I was using stripslashes when I echoed the data,.....I took off stripslashes and it still works like it did before.

I am confused :/

Reply With Quote
  #14  
Old October 28th, 2002, 01:56 PM
crazytrain81 crazytrain81 is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2002
Posts: 232 crazytrain81 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 17
if you are echoing "$var" the slashes will get parsed out. if you echo $var you will get the slashes unless you use stripslashes. it's kind of flakey.

Reply With Quote
  #15  
Old October 28th, 2002, 02:58 PM
Taelo Taelo is offline
5B's
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: PC, FL
Posts: 366 Taelo User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 h 30 m 59 sec
Reputation Power: 16
PHP Code:
<?=$row['P_TEXT']?>



thats what I am doing....and it works perfectly :/

Reply With Quote
  #16  
Old October 28th, 2002, 03:14 PM
OKrogius OKrogius is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Posts: 8 OKrogius User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Quote:
Originally posted by crazytrain81
Taelo, to answer your question, if magic quotes gpc is off, you will need to addslashes when insering data, and stripslashes when outputting it. Regardless of the silly debate over the merits of the function versus using magic quotes gpc, your situation requires you use stripslashes =)

OKrogius, thank you for the input, but I'm perfectly aware of the functions for using, and the behaviors accompanied by quotes in php and sql. Sorry for leaving out "if you don't have magic quotes gpc enabled" in my original post, but the fact he asked suggested to me that he had a problem relating to quotes and needed to use add/strip slashes.


If magic_quotes_gpc IS ON you still do not need to use stripslashes().

Reply With Quote
  #17  
Old October 28th, 2002, 03:39 PM
Taelo Taelo is offline
5B's
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Location: PC, FL
Posts: 366 Taelo User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 h 30 m 59 sec
Reputation Power: 16
I realize that,...what I am saying is that it is Off,......and I still do not have to use stripslashes

Reply With Quote
  #18  
Old October 28th, 2002, 04:36 PM
crazytrain81 crazytrain81 is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Aug 2002
Posts: 232 crazytrain81 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 17
okrogius , i'm wondering what possessed you to say that. i never said you use stripslashes when it's on. in fact, i said ONLY IF GPC IS OFF do you use add OR strip slashes.

taelo i already answered you as well, if you're outputting the data with echo "" it will parse the escaped characters and display them correctly.

Reply With Quote
  #19  
Old October 29th, 2002, 05:03 PM
OKrogius OKrogius is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2002
Posts: 8 OKrogius User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Quote:
Originally posted by crazytrain81
okrogius , i'm wondering what possessed you to say that. i never said you use stripslashes when it's on. in fact, i said ONLY IF GPC IS OFF do you use add OR strip slashes.

taelo i already answered you as well, if you're outputting the data with echo "" it will parse the escaped characters and display them correctly.


I never said a thing about avoiding addslashes(), you will have to use it sometimes (such as onsystems with magic_quotes_gpc disabled). What I did say it that you shold never need to use stripslashes().

Reply With Quote
  #20  
Old February 6th, 2005, 06:51 PM
Ninj Ninj is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Feb 2005
Posts: 1 Ninj User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 6 m 36 sec
Reputation Power: 0
I still don't understand something.
How not to use stripslashes in my case:

i have a textarea.
i send it to antoher page through POST.
i want then to display it again in a textarea for editing purposes.
if the user entered a quote for example, and if i do:
$text = $_POST['text_body'];
echo "<textarea>$text</textarea>";
i get the \ before the quote.
i have MQ on, and can't turn it off. how not to use stripslashes here?

I may have missed something, in this case I apologize, but I can't figure out the way to do it without this function.

I though passing the $text into a echo line would solve it, as I did, but not at all.

Reply With Quote
  #21  
Old February 7th, 2005, 05:48 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Oct 2003
Location: Canada
Posts: 330 Viper_SB User rank is Private First Class (20 - 50 Reputation Level)Viper_SB User rank is Private First Class (20 - 50 Reputation Level) 
Time spent in forums: 1 Day 5 h 3 sec
Reputation Power: 15

Reply With Quote
Reply

Viewing: Dev Articles Community ForumsProgrammingGeneral Programming Help > when to add/strip slashes


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump

Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.

© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap