Escaping special characters for storage in database (MySQL)

hello all,
I am inserting data (text) to a MySQL database. I need to escape database control characters before I actually send the SQL statement to the database.



Some questions:



1.

If I use addslashes(), I do my job but… do I have to use stripslashes() when I retrieve my data from the database? Using the MySQL command line interface, I access my database and the record in question simply has no added slashes. So, I assume that there is no need to use stripslashes() when taking data out of the database. What do you think?

( I have magic_quotes_gpc set to off)



2.

Another question arises when it comes to storing binary data in a blob column of a table in my MySQL database. I read somewhere that using addslashes() can corrupt the data and the safest way when storing binary data is to use the base64_encode() function. I read about it and I am now familiar with what it does. I also know that the size of the encoded file can be 33% larger than the original. I am prepared for that. What do you think?



3.

How about using the mysql_real_escape_string() instead of addslashes?



Thanks.
daidalus13

Yes, addslashes will work.
MySQL uses quotes when entering data so extra quotes will break the query.
As you oberved, there's no need to use stripslashes when retrieving data.

I've always heard you should do the base64_encode() but I may be wrong.

Either one will work.
It's largely a matter of preference though it's recommened that you use the mysql_real_escape_string.
Hope this helps!