MySQL Forums
Forum List  »  PHP

Re: Adding and removing slashes
Posted by: Paul Nair
Date: April 18, 2013 05:15PM

Matt Camill Wrote:
-------------------------------------------------------
> The best function to use for adding slashes to a
> record being inserted into a MySql database is
> mysqli_real_escape_string(). This much is simple
> and clear, but my big question here, is do you use
> this function only for data you intend to store as
> a string, or for all types including numeric?

If you're using MySQLi, you can use that function or you can use prepared statements, in which case escaping is no longer needed and the code is a bit cleaner and safer. In terms of what to escape, where the data has come from is more important than where it's going to. It doesn't matter if a value is being inserted into a numeric field, an SQL injection attack will be just as effective so you should escape everything unless you know it can't possibly need escaping (e.g. a variable that was the result of an arithmetic operation), or just escape everything anyway to be safe. With escaping, you should also bear in mind that your own data from your database or other sources could need escaping when you are using it in a query, as it might contain quotes or other characters that could break your query. Note that MySQL is happy for you to put quotes around any values, including numerics.

Personally, I prefer to use prepared statements for everything, and then you don't need to worry about escaping. But I guess some people will say you shouldn't, as if you're only running the statement once, the performance is slightly lower.

>
> Second question, we’re being taught to use
> floatval() on floating point numbers before we
> insert them into the database. Should we use the
> corresponding function for integer types as well?
> Anything else I need to know in regards to storing
> numeric types in a MySql database?

It's up to you. If you're escaping the values correctly, then you don't need to, but then the opposite is true; if you use intval then you don't need to use the escape functions.

In terms of what else to know about numeric values, you should know about the various different numeric column types so you can pick the right one, and the difference between signed and unsigned, but they should be teaching you that. Also, learn what the number in brackets means in your field definition if you don't already know, because it's a common misconception that it refers to the max length.

> And lastly, my third major question, is the
> generic stripslashes() function good to remove
> slashes from data that you query, or is there a
> MySql specific one I should use instead? It
> shouldn’t make a difference I would think in
> this case, since it just removes the slashes for
> the purpose of your query. It doesn’t change the
> actual record in the database, right?

The data in your database won't have slashes in unless you've put them there, so you shouldn't need to strip any slashes from your data when you retrieve it. But if you do have escaping slashes in the data, stripslashes will remove them. It won't change the data in your database unless you then update it with a query.

Options: ReplyQuote


Subject
Written By
Posted
April 18, 2013 01:27PM
Re: Adding and removing slashes
April 18, 2013 05:15PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.