stripslashes() and MySQL

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
What is the proper way to use of the following functions:
mysql_real_escape_string() and stripslashes()?

Typically, I will use mysql_real_escape_string() when inserting a value
into the database, and I use stripslashes() when I pull in out. This
usually works, however, I run into trouble when I run an INSERT and
SELECT in the same PHP file.

For example, if I submit a form value of "Tester's Choice", it prints
back "Tester\\'s Choice".

Any help would be appreciated.

Note that the file "edit_option.php" is calling itself with the form
action tag. Here is my code:


if(@$_SESSION['admin'] != 1) {
    header("location: login.php");

$message = '';
include '../includes/config.php';
include '../includes/connect.php';

if (isset($_POST['submit'])) {

    $option_name = mysql_real_escape_string($_POST['option_name']);

    if ($_POST['current_id']) {
        $id = mysql_real_escape_string($_POST['current_id']);
        $sql = "UPDATE `certificate_option` SET option_name=\"$option_name\"
WHERE option_id=\"$id\"";
        mysql_query($sql) or die(mysql_error());
        $message .= 'Option has been updated.';

    } else {
        $sql = "INSERT INTO `certificate_option` (option_name) values
        mysql_query($sql) or die(mysql_error());
        $message .= 'Option has been saved.';

} else {
    if (isset($_GET['id'])) {
        $id = $_GET['id'];

$q = mysql_query("SELECT * FROM certificate_option WHERE
$count = 0;
while($row = mysql_fetch_array($q)) {
    $option_id = $row['option_id'];
    $option_name = stripslashes($row['option_name']);


<title>Admin Panel</title>


<?php include '../includes/admin_header.html'; ?>

<h1>Certificate Option Edit</h1>
<p><font color="#339933"><b><?=$message?></b></font></p>

    <form action="edit_option.php" method="post">
    <input type="hidden" name="current_id" value="<?=$id?>">

    <input type="text" maxlength="96" size="25" name="option_name"

    <input type="submit" name="submit" value="Update Record">

    <a href="certificate_option_list.php">Certificate Option List</a>


Re: stripslashes() and MySQL

vol30w60 wrote:
Quoted text here. Click to load it

You should not need to use stripslashes() when using
mysql_real_escape_string().  If you do, it means either you have used
addslashes() or have magic_quotes_gpc on.

If you used addslashes(), don't.  It's not required.  If you have
magic_quotes_gpc on, turn it off.  Or, if you can't turn it off, call
stripslashes() on your data before you put it in the database.

If this is your entire code, it looks like the later is your problem.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: stripslashes() and MySQL

Jerry Stuckle wrote:
Quoted text here. Click to load it

Thanks! Turning off magic_quotes_gpc did the trick.

Re: stripslashes() and MySQL

Not trying to re-scope your question, but PDO can also offer a lot of
great options in this area.  I've found that using PDO has reduced the
amount of crazy data policework I have to do.

Just a suggestion!  I realize it's a slight shift in the paradigms
used, but I've so far enjoyed the options it opens up.

Take care.

Quoted text here. Click to load it

Re: stripslashes() and MySQL

Omega wrote:
Quoted text here. Click to load it

any example please? I now started using PDO....

Re: stripslashes() and MySQL

On Wed, 27 Feb 2008 11:36:43 +0100, Harris Kosmidhs  =

Quoted text here. Click to load it

Prepared statemenst will make your live definitly easy:

$db = new PDO();//use some real connection variables.
$stmt = $db->prepare('SELECT foo FROM bar WHERE foz = ?');
$stmt->bindValue(1,"some'string\with''\'characters that could be  
escaped", PDO::PARAM_STR);

Prepared Statement > mysql_real_escape_string > mysql_escape_string >  =

-- =

Rik Wasmus

Re: stripslashes() and MySQL

Rik Wasmus wrote:
Quoted text here. Click to load it

Sorry don't quite follow...

bindValue does something like mysql_real_escape_string?
Does it understand what foz is? integer, varchar, etc?

Re: stripslashes() and MySQL

.oO(Harris Kosmidhs)

Quoted text here. Click to load it

Yes, if you tell it so. The third parameter of bindValue() or
bindParam() can be used to define the type, which is PDO::PARAM_STR in
the example above. The DB will then take the appropriate actions to
handle the data properly. If you say "this is a string", then the DB
will take it as exactly that and will make sure that all special chars
will automatically be escaped if necessary.


Re: stripslashes() and MySQL


Quoted text here. Click to load it

Indeed, and to clarify: bindValue() does nothing to the string, nor does=

PHP actually... It's the database that does it. See  =

for a quick introduction.
-- =

Rik Wasmus

Re: stripslashes() and MySQL

Quoted text here. Click to load it

I got this code from somewhere. It looks complete to me, so i noted

Here i typed it from my notebook. So there can be syntax error or
missing braces :)
But it is the best solution for you.

if (get_magic_quotes_gpc()) {

    $_REQUEST = remove_magic_quotes($_REQUEST);
    $_GET     = remove_magic_quotes($_GET);
    $_POST    = remove_magic_quotes($_POST);



function remove_magic_quotes($arr) {

    foreach ($arr as $k=>$v) {

            if (is_array($v)) {
                $arr[$k] = remove_magic_quotes($v);
            else {
                $arr[$k] = stripslashes($v);
            return $arr;


Re: stripslashes() and MySQL

Quoted text here. Click to load it

Quoted text here. Click to load it

<snip working function definition>
Quoted text here. Click to load it

"the best solution for you":
1) For whom?
2) "Best" way to avoid magic quotes, in order of most desired:
    a) No magic_qoutes on on server
    b) Magic quotes disabled in vhost conf
    c) Magic quotes disabled in .htaccess
    d) Changing hosts so that one of a,b or c can be satisfied
    e) If none of a - d can be done, only then would this be a valid idea, =

and I wouldn't call it a solution, but a workaround.
-- =

Rik Wasmus

Re: stripslashes() and MySQL

vol30w60 wrote:
Quoted text here. Click to load it
Quoted text here. Click to load it

Not a reply to your original question but you don't appear to be
validating/escaping/intval'ing $_GET['id'].


Site Timeline