[nycphp-talk] SQL injection and stripslashes
Charles Collicutt
charles.collicutt at holyblasphemy.org
Thu Aug 3 07:47:12 EDT 2006
Hi,
I just read the PHundamentals article on storing and retrieving data
from a database. Near the bottom, it says that if I follow the authors'
best practice recommendations then I won't need to use stripslashes. I
actually found that page by following a link from Chris Shiflett's
Security Corner page, in which, when asked how to reverse
mysql_real_escape_string, he wrote, "[Y]ou should never have to reverse
that. If you do, it means you've done something wrong." So, I must be
doing something wrong...
Say I want to store a user's name in my database and their name contains
an apostrophe, when I escape that string a backslash will be inserted
before the apostrophe. Later, I need to pull that name out of the
database for display (or use elsewhere in the script or something.) How
do I get rid of the backslash without using stripslashes or something
similar?
I'd be very grateful for any help.
PHundamentals article:
http://www.nyphp.org/phundamentals/storingretrieving.php
Security Corner: SQL Injection:
http://shiflett.org/articles/security-corner-apr2004
Thanks.
--
Charles
More information about the talk
mailing list