Must I still use addslashes with PEAR DB?

Hi!
I now use the DB classes from PEAR with mysql. Do I still have to use
addslashes?
I ask, because I get some very strange results, I get slashes in front
of every " and they get saved in my database :-(

Now my hoster has turned magic_quotes_gpc on anyway. As a workaround:
On a PHP-environment where magic_quotes_gpc is turned on, can I do
stripslashes on every request-data without danger?

Or what is the recommended way to safely insert request-data into
mysql with PEAR?

Thanks for your answer

On 29 Apr 2004 07:38:49 -0700, javawocky@hotmail.com (Joe Randstein) wrote:

>I now use the DB classes from PEAR with mysql. Do I still have to use
>addslashes?
>I ask, because I get some very strange results, I get slashes in front
>of every " and they get saved in my database :-(
>
>Now my hoster has turned magic_quotes_gpc on anyway. As a workaround:
>On a PHP-environment where magic_quotes_gpc is turned on, can I do
>stripslashes on every request-data without danger?
>
>Or what is the recommended way to safely insert request-data into
>mysql with PEAR?

Using PEAR's placeholder emulation, without adding slashes. Prepare a
statement using ? for the placeholders and bind the data you want saved without
any modification.

Do not embed values in the SQL statement.

INSERT INTO t (c) values (?) -- correct
INSERT INTO t (c) values ('?') -- wrong, most of the time
INSERT INTO t (c) values ('$val') -- very wrong

http://pear.php.net/manual/en/packag...ro-execute.php

--
Andy Hassall <andy@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space