This question already has answers here:
Closed 7 years ago.
Possible Duplicate:
Using stripslashes after mysql_real_escape_string
I have been reading most recently about prevention of SQL injection and I am trying to develop some sense of understanding between the different functions so that I can learn the basics.
I have read about mysql_real_escape_string and I understand that it is basically escaping characters which it deems "special" so that it is not confused for SQL syntax?
Now, assuming that is at least to some degree true - is there a need to use the stripslashes function combined with the mysql_real_escape_string? I'm wondering about what stripslashes is and what it is for.
If you use stripslashes on input right after using mysql_real_escape_string, you will effectively undo it. There are probably other reasons to use stripslashes, but in my case I have only ever needed it to undo the horror that is magic quotes. It's actually the opposite of addslashes.
addslashes does not necessarily escape input the same as mysql_real_escape_string does, and they cannot be used for the same purpose.
Even better than mysql_*, you should read up on using prepared statements like in PDO. Then you don't even have to worry about mysql_* or stripslashes (except for magic quotes).
The function stripslashes() will unescape characters that are escaped with a backslash, \. It is commonly used on strings that are escaped via addslashes(), or if your PHP configuration has magic_quotes enabled.
When using SQL-escaping functions such as mysql_real_escape_string(), there is no need to use stripslashes() because the MySQL-adapter will only escape the values on insertion into the database - the slashes will not remain in the actual values. If you were to use stripslashes() on a variable that you already escaped with mysql_real_escape_string(), it will remove the slashes as if it were escaped using addslashes() - fairly pointless though.
If your goal is to prevent SQL-Injection, I would highly recommend looking into MySQLi or PDO opposed to the older mysql_ methods. Both MySQLi and PDO offer prepared-statements which, if used properly, will prevent SQL-Injection without the need to remember calling special escaping functions or worrying if your data will be modified from them.
stripslashes function is used for Un-quotes a quoted string
Example :
<?php
echo stripslashes("how\'s going on?");
?>
The output of the code above will be:
how's going on?
For more details:
http://php.net/manual/en/function.stripslashes.php
check out
http://php.net/manual/en/language.types.string.php
http://php.net/manual/en/function.stripslashes.php
http://php.net/manual/en/mysqli.real-escape-string.php
The escape functions add slashes '\' to escape characters that can be used to terminate valid query STRINGS (not the query itself) to prevent injection. the stripslashes function is used to remove these slashes, however there's no practical use for them in building query strings as they remove the needed slashes.
Results from MySQL are not 'slashed' (escaped) so stripslashes it isn't needed when dealing with results.
