[nycphp-talk] SQL injection and stripslashes
Kenneth Downs
ken at secdat.com
Thu Aug 3 07:51:24 EDT 2006
Charles Collicutt wrote:
>Say I want to store a user's name in my database and their name contains
>an apostrophe, when I escape that string a backslash will be inserted
>before the apostrophe. Later, I need to pull that name out of the
>database for display (or use elsewhere in the script or something.) How
>do I get rid of the backslash without using stripslashes or something
>similar?
>
>
>
The backslash is not stored in the database. It tells the database that
the apostrophe (technically: single-quote) is not an endquote, and that
the single-quote is part of the column's value. The database discards
the backslash and stores the single-quote as part of the value. When
you retrieve it, you get the value without the backslash.
But when you send it back to the database, you must escape the string
again. All writes to the db must do that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ken.vcf
Type: text/x-vcard
Size: 186 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20060803/fa3e4a14/attachment.vcf>
More information about the talk
mailing list