NYCPHP Meetup

[Dan Cech]

Hi Emmanuel,

Emmanuel Décarie wrote:
> Hi there,
> 
> I think that there's 3 points that need clarification:
> <http://phundamentals.nyphp.org/5.php?expiredate=1/19/2004&topicnumber=5>
> 
> (1) "Best Practice: Do not use the function addslashes but, instead, use a
> function that is specific to your database."
> 
> Could the tutorial elaborate a little bit more on this? I have been using
> addslashes with Mysql with no problems and the tutorial doesn't convince me why
> I should change to mysql_escape_string/mysql_real_escape_string.

Addslashes will escape " (double quote), ' (single quote) \ (backslash) 
and NUL (the null byte) with a backslash.

mysql_real_escape_string will take into account the character set of the 
current connection, and escape characters as appropriate.  Both 
mysql_escape_string and mysql_real_escape_string will also quote 
instances of other characters which are 'special' in mysql, including:

\0
An ASCII 0 (NUL) character.
\'
A single quote (`'') character.
\"
A double quote (`"') character.
\b
A backspace character.
\n
A newline character.
\r
A carriage return character.
\t
A tab character.
\z
ASCII(26) (Control-Z). This character can be encoded to allow you to 
work around the problem that ASCII(26) stands for END-OF-FILE on 
Windows. (ASCII(26) will cause problems if you try to use mysql database 
< filename.)
\\
A backslash (`\') character.

In addition, they will encode any newlines into their encoded (\n or 
\r\n) counterpart.

All of the database-specific functions included these kinds of special 
cases for the particular database, whereas addslashes does not.  For 
simple data it will work, but sooner or later you are going to end up in 
a situation where addslashes alone will fail.

> (2) htmlentities/htmlspecialchars
> 
> I think the tutorial should insist that the best practice is not using these
> functions on data that you want to *insert* in a database.

This is very true, I think that the article makes this fairly clear. 
This is not a matter of best practice, but something that should 
(almost) never be done.

> (3) "You will notice that two commands - addslashes and stripslashes - are
> conspicously absent from this article. If you follow our best practice
> recommendations, there is no need to use either one of these functions in the
> situations that have been examined."
> 
> The bit on stripslashes need also some clarification. Every time I insert some
> values in Mysql, I use addslashes, and when I want to get back these values from
> the database, I always use stripslashes on these values but the tutorial makes
> me realize now how stupid I am and that there's no need in fact to use
> stripslashes in this case.  I don't know where I got this idea, but anyway, I'm
> sure many people felt in this trap.
> 
> Anyway, thanks for the tutorial, I learned something :).
> 
> PS: My spell checker (Grammarian/OS X) flagged 'conspicously' and wanted
> 'conspicuously' instead.

Conspicuously is correct.

Dan

> Cheers
> -Emmanuel
> --
> Emmanuel Décarie / Programmation pour le Web - Programming for the Web
> <http://scriptdigital.com/> - Blog: <http://blog.scriptdigital.com> - AIM: scriptdigital