NYCPHP Meetup

NYPHP.org

[nycphp-talk] SQL injection and stripslashes

Ken Robinson kenrbnsn at rbnsn.com
Thu Aug 3 07:56:30 EDT 2006


At 07:47 AM 8/3/2006, Charles Collicutt wrote:

>Say I want to store a user's name in my database and their name contains
>an apostrophe, when I escape that string a backslash will be inserted
>before the apostrophe. Later, I need to pull that name out of the
>database for display (or use elsewhere in the script or something.) How
>do I get rid of the backslash without using stripslashes or something
>similar?

I have found that when I use the function mysql_real_escape_string() 
instead of addslashes() the backslash is not stored in the database. 
I also have magic_quotes_runtime disabled in php.ini

Ken 




More information about the talk mailing list