> > I usually stripslashes() when I read the info from the database (MySQL).
> > Because the information was inserted after adding slashes, or the
> > system has magic_quotes_gpc set to ON.
> >
> > I'd like to know, if I can do stripslashes() directly, as it is suposed
> > that all data was inserted into DB after slashing the vars. I mean,
> > should I check or not before if magic_quotes_gpc are on ?
> >
> > As I know, magic_quotes_gpc has nothing to do with info readed from the
> > DB, as it only affects Get/Post/Cookie values.
> >
> > I think to make a check like this:
> >
> > $result = mysql_query("SELECT ....");
> > $row = mysql_fetch_assoc($result);
> >
> > foreach ($row as $key => $value) {
> > $row[$key] = stripslashes($value);
> > }
> >
> > But not sure if it really necessary, as i'm getting some confusing results.
> >
>
> What you *should* be doing is check for magic quotes when inserting into the DB.
>
> if(!get_magic_quotes_gpc()) {
> $value = mysql_real_escape_string($value);
> }
>
> $query = 'INSERT INTO table (field) VALUES ("'.$value.'")';
> mysql_query($query);
To add further comment. If you're required to run stripslashes() on
data coming out of your database then you did something wrong. Your
code would have essentially looked like the following before insertion:
$var = addslashes(addslashes($var));
Where 'magic_quotes_gpc = on' essentially executed one of those
addslashes(). The above use of get_magic_quotes_gpc() shows you
how to add slashes just once thus not having a bunch of \' type
badness inside your database. Remember backslashes are only
added to make proper strings for db insertion so the backslashes
should never actually make it into the database.
Regards,
Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
