stripslashes() and MySQL

This is a discussion on stripslashes() and MySQL within the PHP Language forums, part of the PHP Programming Forums category; On Feb 27, 8:51 pm, "Rik Wasmus" <luiheidsgoe...@hotmail.com> wrote: > On Wed, 27 ...


Go Back   Usenet Forums > PHP Programming Forums > PHP Language

Reload this Page stripslashes() and MySQL

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Page 2 of 2 < 1 2

 

LinkBack Thread Tools Search this Thread Display Modes
  #11 (permalink)  
Old 02-28-2008
Satya
 
Posts: n/a
Default Re: stripslashes() and MySQL
On Feb 27, 8:51 pm, "Rik Wasmus" <luiheidsgoe...@hotmail.com> wrote:
> On Wed, 27 Feb 2008 15:35:29 +0100, Michael Fesser <neti...@gmx.de> wrote:
> > .oO(Harris Kosmidhs)
>
> >> Rik Wasmus wrote:
>
> >>> Prepared statemenst will make your live definitly easy:
>
> >>> $db = new PDO();//use some real connection variables.
> >>> $stmt = $db->prepare('SELECT foo FROM bar WHERE foz = ?');
> >>> $stmt->bindValue(1,"some'string\\with''\'characters that could be
> >>> escaped", PDO::PARAM_STR);
> >>> $stmt->execute();
> >>> var_dump($stmt->fetchAll());
>
> >>> Prepared Statement > mysql_real_escape_string > mysql_escape_string >
> >>> addslashes
>
> >> Sorry don't quite follow...
>
> >> bindValue does something like mysql_real_escape_string?
> >> Does it understand what foz is? integer, varchar, etc?
>
> > Yes, if you tell it so. The third parameter of bindValue() or
> > bindParam() can be used to define the type, which is PDO::PARAM_STR in
> > the example above. The DB will then take the appropriate actions to
> > handle the data properly. If you say "this is a string", then the DB
> > will take it as exactly that and will make sure that all special chars
> > will automatically be escaped if necessary.
>
> Indeed, and to clarify: bindValue() does nothing to the string, nor does
> PHP actually... It's the database that does it. See
> <http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements....>
> for a quick introduction.
> --
> Rik Wasmus

I got this code from somewhere. It looks complete to me, so i noted
it.

Here i typed it from my notebook. So there can be syntax error or
missing braces :)
But it is the best solution for you.
<?php

if (get_magic_quotes_gpc()) {

$_REQUEST = remove_magic_quotes($_REQUEST);
$_GET = remove_magic_quotes($_GET);
$_POST = remove_magic_quotes($_POST);

}

set_magic_quotes_runtime(0);

function remove_magic_quotes($arr) {

foreach ($arr as $k=>$v) {

if (is_array($v)) {
$arr[$k] = remove_magic_quotes($v);
}
else {
$arr[$k] = stripslashes($v);
}
}
return $arr;

}
?>
Reply With Quote
  #12 (permalink)  
Old 02-28-2008
Rik Wasmus
 
Posts: n/a
Default Re: stripslashes() and MySQL
On Thu, 28 Feb 2008 12:01:11 +0100, Satya <satya61229@gmail.com> wrote:
> On Feb 27, 8:51 pm, "Rik Wasmus" <luiheidsgoe...@hotmail.com> wrote:
>> On Wed, 27 Feb 2008 15:35:29 +0100, Michael Fesser <neti...@gmx.de>
>> wrote:
>> > .oO(Harris Kosmidhs)
>>
>> >> Rik Wasmus wrote:
>>
>> >>> Prepared statemenst will make your live definitly easy:
>>
>> >>> $db = new PDO();//use some real connection variables.
>> >>> $stmt = $db->prepare('SELECT foo FROM bar WHERE foz = ?');
>> >>> $stmt->bindValue(1,"some'string\\with''\'characters that could be
>> >>> escaped", PDO::PARAM_STR);
>> >>> $stmt->execute();
>> >>> var_dump($stmt->fetchAll());
>>
>> >>> Prepared Statement > mysql_real_escape_string > mysql_escape_string
>> >
>> >>> addslashes
>>
>> >> Sorry don't quite follow...
>>
>> >> bindValue does something like mysql_real_escape_string?
>> >> Does it understand what foz is? integer, varchar, etc?
>>
>> > Yes, if you tell it so. The third parameter of bindValue() or
>> > bindParam() can be used to define the type, which is PDO::PARAM_STRin
>> > the example above. The DB will then take the appropriate actions to
>> > handle the data properly. If you say "this is a string", then the DB
>> > will take it as exactly that and will make sure that all special chars
>> > will automatically be escaped if necessary.
>>
>> Indeed, and to clarify: bindValue() does nothing to the string, nor does
>> PHP actually... It's the database that does it. See
>> <http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.....>
>> for a quick introduction.
>
> I got this code from somewhere. It looks complete to me, so i noted
> it.
>
> Here i typed it from my notebook. So there can be syntax error or
> missing braces :)
> But it is the best solution for you.

> <?php
>
> if (get_magic_quotes_gpc()) {
>
> $_REQUEST = remove_magic_quotes($_REQUEST);
> $_GET = remove_magic_quotes($_GET);
> $_POST = remove_magic_quotes($_POST);
>
> }
>
> set_magic_quotes_runtime(0);
>
> function remove_magic_quotes($arr) {
<snip working function definition>
> ?>

"the best solution for you":
1) For whom?
2) "Best" way to avoid magic quotes, in order of most desired:
a) No magic_qoutes on on server
b) Magic quotes disabled in vhost conf
c) Magic quotes disabled in .htaccess
d) Changing hosts so that one of a,b or c can be satisfied
e) If none of a - d can be done, only then would this be a valid idea,
and I wouldn't call it a solution, but a workaround.
--
Rik Wasmus
Reply With Quote
Reply
Page 2 of 2 < 1 2
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:35 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0