Home > Archive > PHP Programming > April 2004 > Must I still use addslashes with PEAR DB?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Must I still use addslashes with PEAR DB?
|
|
| Joe Randstein 2004-04-29, 5:14 pm |
| Hi!
I now use the DB classes from PEAR with mysql. Do I still have to use
addslashes?
I ask, because I get some very strange results, I get slashes in front
of every " and they get saved in my database :-(
Now my hoster has turned magic_quotes_gpc on anyway. As a workaround:
On a PHP-environment where magic_quotes_gpc is turned on, can I do
stripslashes on every request-data without danger?
Or what is the recommended way to safely insert request-data into
mysql with PEAR?
Thanks for your answer
| |
| Andy Hassall 2004-04-29, 5:14 pm |
| On 29 Apr 2004 07:38:49 -0700, javawocky@hotmail.com (Joe Randstein) wrote:
>I now use the DB classes from PEAR with mysql. Do I still have to use
>addslashes?
>I ask, because I get some very strange results, I get slashes in front
>of every " and they get saved in my database :-(
>
>Now my hoster has turned magic_quotes_gpc on anyway. As a workaround:
>On a PHP-environment where magic_quotes_gpc is turned on, can I do
>stripslashes on every request-data without danger?
>
>Or what is the recommended way to safely insert request-data into
>mysql with PEAR?
Using PEAR's placeholder emulation, without adding slashes. Prepare a
statement using ? for the placeholders and bind the data you want saved without
any modification.
Do not embed values in the SQL statement.
INSERT INTO t (c) values (?) -- correct
INSERT INTO t (c) values ('?') -- wrong, most of the time
INSERT INTO t (c) values ('$val') -- very wrong
http://pear.php.net/manual/en/packa...tro-execute.php
--
Andy Hassall <andy@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space
|
|
|
|
|