Categories > TinyButStrong general >

Stripslashes after reading MySQL records

The forum is closed. Please use Stack Overflow for submitting new questions. Use tags: tinybutstrong , opentbs
By: Don Bledsoe
Date: 2007-05-23
Time: 13:48

Stripslashes after reading MySQL records

When I add records to my database, I use the PHP addslashes() statement. Is there an easy way to stripslashes() before doing the $TBS->MergeBlock() to remove them?
By: Skrol29
Date: 2007-05-23
Time: 16:19

Re: Stripslashes after reading MySQL records

You are not supposed to save the slashes in the database. Addslashes() is just used to protect the data from SQL injection or other SQL statement problems. You add slashes in the SQL statement, bu the SQL statement do not save them in the Database.

Or maybe I have misunderstood your problem.

Anyway, if you want to stripslash before to merge, you can use parameter "ondata" which can call a custom function for each records.

Take also a look at TbsSQL:
http://www.tinybutstrong.com/tools.php

By: Don Bledsoe
Date: 2007-05-24
Time: 03:34

Re: Stripslashes after reading MySQL records

Am I correct that I will only need to specify the rows that need the special handling, or should I do it for all rows?
By: Skrol29
Date: 2007-05-24
Time: 11:53

Re: Stripslashes after reading MySQL records

I'm afraid I don't understand your question.
Maybe I've missed what you're trying to do.
What special handling ?
By: Don Bledsoe
Date: 2007-05-24
Time: 12:15

Re: Stripslashes after reading MySQL records

Here's what I tried:

I removed the addslashes() statements before the MySQL record is inserted. If the last name is O'Brien, it is saved as O\'Brien.

Now, when the record is selected, I will need to remove the slash before it is displayed.

Is there an example "custom function" I can follow to add a stripslashes() statement?
By: Skrol29
Date: 2007-05-24
Time: 14:15

Re: Stripslashes after reading MySQL records

Hi,

In my point of view there is no need to save the data with slashes.
Your statement should be like this.
$id = 29;
$name = "O'Brien";
$sql="INSERT INTO t_table (id,name) VALUES (".mysq_escape_string($id).",'".mysq_escape_string($name)."')";

But if you have it with slashes now, you can take it off when merging with a custom function. You have an example of this at the Example Page. Choose section "Event functions".
By: Don Bledsoe
Date: 2007-05-24
Time: 20:21

Re: Stripslashes after reading MySQL records

The problem is that when I enter O'Brien into a form and then view the record, it is displayed as O\'Brien, so I assumed that MySQL is doing that during the INSERT TO call. I removed all references to addslashes() in my code and it still does it. I don't care that it is there, as long as I can remove it. I'll go check the example.

Thank you for your help.
By: Skrol29
Date: 2007-05-24
Time: 21:43

Re: Stripslashes after reading MySQL records

By: desbest
Date: 2011-07-10
Time: 13:24

Re: Stripslashes after reading MySQL records

You said Skrol29
"You are not supposed to save the slashes in the database. Addslashes() is just used to protect the data from SQL injection or other SQL statement problems. "

I don't understand this.
If I insert user input to my mySQL database, and it has no slashes, then it's possible that an SQL injection can happen, due to the user input not being escaped.
I believe the correct thing to do in coding is to store the slashes in the database, and escape them on output, for security reasons/
Am I right?
By: Skrol29
Date: 2011-07-11
Time: 19:01

Re: Stripslashes after reading MySQL records

> Am I right?

Not in my opinion. And this is not the art of coding.
You should store in the database only the pure data, without formating or technical operation.
This is because your data may have several output, like an HTML page, an PDF document, OpenOffice document, an Excel WorkSheet, a JavaScript popup,....
And, moreover, preventing from SQL injection is something to do when you are querying the Server. When data is stoerd, it is over.
So you have to protect the data before to insert them, but you have to insert pure data.

By: desbest
Date: 2011-07-11
Time: 21:05

Re: Stripslashes after reading MySQL records

You are right.
For anyone who comes across this thread in the future, wanting to know how they can store pure data in a database that has an apostrophe in it, when enclosed in them, they should use mysql_real_escape_string() instead of stripslashes().