addslashes() and stripslashes()

I have a some PHP code from a book that will only work if i have magic qoutes switched on, but because the computers i am working on are provided by a university i'm having trouble finding out how to switch them on. However the book says that if i do not have them enabled i can add 'addslashes()' to data going to the database and 'stripslashes()' to data coming back from the database, but it doesn't explain how to do this.

I assume they have to be added somewhere within this section of the code(below), but where? If i'm wrong about this could someone please point me in the right direction. If anyone could help me i would very much appreciate it.

function get_books($catid)
{
// query database for the books in a category
if (!$catid || $catid=="")
return false;

$conn = db_connect();
$query = "select * from tools where catid='$catid'";
$result = @mysql_query($query);
if (!$result)
return false;
$num_books = @mysql_num_rows($result);
if ($num_books ==0)
return false;
$result = db_result_to_array($result);
return $result;
}

Comments

  • allthough there is no need to add or strip slashes in here, the following code should do as well as it is possible...

    [code]
    function get_books($catid)
    {
    // query database for the books in a category

    if (!$catid || $catid=="") return false;

    $conn = db_connect();

    $query = "select * from tools where catid='$catid'";

    // Here is some addslashes
    $query = addslashes( $query );

    $result = @mysql_query($query);

    if (!$result) return false;

    $num_books = @mysql_num_rows($result);

    if ($num_books ==0) return false;

    $result = db_result_to_array($result);

    return $result;
    }

    [/code]

    Some information on the add or strip-slashes function:

    you only need slashes (what means backslashes) if
    you have some special chars in a string that could
    be interpreted as an "end of string".

    if you have the string "here is "my" string"
    php would collapse, because of >my< would be interpreted
    as some command following the string "here is " and be
    followed of string " string".

    if you want to process with that string, you have to
    use slashes.

    "here is "my" string" would work correctly.

    now guess you have the string
    "insert into table values ( 'x' );"

    your mysql trys to come with some "'" to quot this string.

    now mysql or some other database would try to work on some
    string looking like that:

    'insert into table values( 'x' );'

    and here you've got the same problem as in the example
    some lines above. addslashes just does work on the ' and "
    and the other special chars within a string, so it can be
    ensured that the string can be processed correctly.

    So if you process the string above using the addslashes function
    mysql would gather something like this:

    'insert into table values( 'x' );'

    with that string mysql can work.

    stripslashes is some command to strip those slashes out of
    your string, to gather for example the query above to give
    it out.

    best regards,

    sebastian mohrenstecher
    executive secretary
    net::allies

    www.net-allies.de
    info@net-allies.de

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

In this Discussion