NYCPHP Meetup

NYPHP.org

[nycphp-talk] SQL injection and stripslashes

Kenneth Downs ken at secdat.com
Thu Aug 3 07:51:24 EDT 2006


Charles Collicutt wrote:

>Say I want to store a user's name in my database and their name contains 
>an apostrophe, when I escape that string a backslash will be inserted 
>before the apostrophe. Later, I need to pull that name out of the 
>database for display (or use elsewhere in the script or something.) How 
>do I get rid of the backslash without using stripslashes or something 
>similar?
>
>  
>
The backslash is not stored in the database.  It tells the database that 
the apostrophe (technically: single-quote) is not an endquote, and that 
the single-quote is part of the column's value.  The database discards 
the backslash and stores the single-quote as part of the value.  When 
you retrieve it, you get the value without the backslash.

But when you send it back to the database, you must escape the string 
again.  All writes to the db must do that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ken.vcf
Type: text/x-vcard
Size: 186 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20060803/fa3e4a14/attachment.vcf>


More information about the talk mailing list