[SOLVED] stripslashes enough?

Lee · #1 (**permalink**) 08-11-2007, 02:01 PM

Simple question really, is stripslashes() enough to prevent mysql injections or do you have to go through many things like the mysql escape function and others...?

This will be used on a user registration page.

TeraTask · #2 (**permalink**) 08-11-2007, 08:59 PM

I recommend using one of the functions from my tutorial: TUTORIAL: MySQL Injection Attack Prevention in PHP

Lee · #3 (**permalink**) 08-12-2007, 04:08 AM

Quote:

Originally Posted by TeraTask

I recommend using one of the functions from my tutorial: TUTORIAL: MySQL Injection Attack Prevention in PHP

Yes i remembered that but this is why i ask, is there really any need for a big function, will stripslashes not do the job on its own?

TeraTask · #4 (**permalink**) 08-12-2007, 04:14 AM

Well, the more important thing is to remember to use mysql_real_escape_string. That's all you have to use if you aren't affected by the MySQL advisement:

Quote:

Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

I don't think of it as that much code though - to use, you only call a different function name: sql_safe(); with various parameters as needed.

Lee · #5 (**permalink**) 08-12-2007, 05:17 AM

Ok Thanks, I was just wondering though, how do you get the input back to how it was input? As with mysql_real_escape_string() it puts in back slashes then that value would be in the database, then when you get it out you would want it back to normal?

TeraTask · #6 (**permalink**) 08-12-2007, 05:43 AM

Most of the time that's done for you automatically. If not, you can then stripslashes.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

The Following User Says Thank You to TeraTask For This Useful Post:
Lee (08-12-2007)