cyanide_pierce — 2011-11-08T04:48:40-05:00 — #1
I know that there is the use of addslashes() stripslashes() and mysql_real_string_escape but where is the most appropriate to use them?
I have heard real_string_escape is better for security.
Which is best for which scenario uploaded data and downloaded data
Best for assigning variables for uploading to a database:
$var1 = mysql_real_string_escape($_POST['name1'];
$var1 = addslashes($_POST['name1'];
$var1 = stripslashes($_POST['name1'];
Best for assigning variables after downloading from database
$var1 = mysql_real_string_escape($row['name1'];
$var1 = addslashes($row['name1'];
$var1 = stripslashes($row['name1'];
sitesmaker — 2011-11-10T09:27:32-05:00 — #2
First, mysql_real_string_escape() is only for MySQL and is only available when there is a connection to a database! mysql_real_string_escape() and addslashes() do the same as much as I know, but as the first is developed with MySQL it self it is more likely to be better treating MySQL queries. In older releases of PHP, addslashes() had some bugs that I don't think exist now.
But stripslashes() is the opposite! It strips the back slashes instead of adding them.
So use addslashes() when doing anything not related to a certain DB management system, and use the appropriate function when treating a certain DBMS (as mysql_real_string_escape() for MySQL or pg_escape_string() for PostgreSQL).