Addslashes() doesn't work on $_POST

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

As the user may type strings that contain verboten characters like
apostrophes, I need to go through the $_POST[] array, and use
addslashes() on each and every item

But it doesn't make any difference:

    switch ($_POST['status']) {
        case "Test":
            print $_POST['dummy'] . "<p>\n";

            foreach ($_POST as $key => $value)
                $$key = addslashes($value);

            print $_POST['dummy'] . "<p>\n";

            $sql = sprintf("INSERT INTO mytable VALUES
            print "$sql<p>";

            Bill's cigar
            Bill's cigar
            INSERT INTO mytable VALUES ('Bill's cigar')


            echo "<form method=post>";
            echo "<input type=hidden name=dummy value=\"Bill's cigar\">";
            echo "<input type=submit name=status value=Test>";
            echo "</form>";

What am I doing wrong?

Thank you.

Re: Addslashes() doesn't work on $_POST

Quoted text here. Click to load it

Firstly, using a variable variable ($$) won't update the superglobal
$_POST, it just creates a new variable - in this case $dummy.

You can update the superglobal itself, i.e., $_POST['dummy'] =
addslashes($_POST['dummy']).  Your loop would then be:

foreach($_POST as $key => $value)
    $_POST[$key] = addslashes($value);

Secondly, using addslashes to quote data going into an SQL query isn't
a very good idea.  If you're running PHP 5.1 (or higher) I would
strongly suggest using PDO and the prepare/bind syntax.  Otherwise, if
using the mysql*_* set of functions use mysql_real_escape_string
(similar functions exist for the other databases supported by PHP)

Finally, you are outputting data straight to the browser with your
print commands; I'm sure this is just for debugging purposes, however
you really should take XSS attacks into account and filter the input
accordingly.  For instance, addslashes cannot save you from something
like this:

<script type=text/javascript src= /

Hope that helps.

Re: Addslashes() doesn't work on $_POST wrote:

Quoted text here. Click to load it

More precisely, it's supposing that the $_POST variables are also defined in
the global scope.

That behaviour was the default in old versions of PHP (Register_globals =
On). Now it's off by default for security reasons.

My guess is that you copy-pasted some old code from somewhere without
understanding it first ;-)

Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

By trying we can easily learn to endure adversity.  Another man's, I mean.
                -- Mark Twain

Re: Addslashes() doesn't work on $_POST wrote:

Quoted text here. Click to load it

When using PDO you mean the prepare insert statement should be used? Can
you please give a small example?


Re: Addslashes() doesn't work on $_POST

On Feb 19, 8:31 am, Harris Kosmidhs
Quoted text here. Click to load it


Take this example (connection string etc. left out, but assume PDO
connection is $db)

$stmt = $db->prepare("INSERT INTO some_table (name, age) VALUES
(:name, :age)");
$stmt->bindParam(":name", $name);
$stmt->bindParam(":age", $age, PDO::PARAM_INT);

In this case, $name and $age would be pre-sanitised against such
things as XSS (quoting only helps us against SQL injection). If you
are just assigning values you must use ->bindValue as the value in
bindParam is passed by reference.

e.g. $stmt->bindValue(":age", 21, PDO::PARAM_INT);

You can also pass the variables as an array to the ->execute, but you
lose the ability to specify data type as I did with the age parameter.

Re: Addslashes() doesn't work on $_POST

On Mon, 18 Feb 2008 16:42:35 -0800 (PST), wrote:
Quoted text here. Click to load it

Thanks guys. For those interested, here's some working code, using
either bindParam() or an array:

    switch ($_POST['status']) {
        case "Test":
            $dbh = new PDO("sqlite:test.sqlite");

            //$sql = "INSERT INTO mytable VALUES (:dummy)";
            //$stmt = $dbh->prepare($sql);
            //$stmt->bindParam(":dummy", $_POST['dummy']);
            try {
                $insert = $dbh->prepare("INSERT INTO mytable (dummy) VALUES
            } catch (Exception $e) {
                echo "Failed : " . $e->getMessage();

            $dbh = null;

            echo "<form method=post>";
            echo "<input type=text name=dummy>";
            echo "<input type=submit name=status value=Test>";
            echo "</form>";

Re: Addslashes() doesn't work on $_POST

.oO(Gilles Ganault)

Quoted text here. Click to load it

No, you don't need to apply addslashes() to each and every item. Instead
you should consider $_GET and $_POST read-only and use the appropriate
escaping functions when and where they're really needed, for example
mysql_real_escape_string() when inserting the data into a MySQL DB (in
this case prepared statements would be the better way, though).

IMHO the only acceptable write-access to these arrays is stripslashes()
to remove magic quotes if they're enabled and can't be turned off. But
besides that they shouldn't be touched and just be seen as the raw data
input. The escaping takes place when the data is used.


Site Timeline