Escaping using slashes and then using stripslashes PHP

Question

In my code i am using addslashes to escape certain characters while inserting them into the database and when i send some information out i use stripslashes to remove those slashes, the situation is stripslashes function removes all the slashes so if i need to send any string which has backslashes those also get removed. How can i retain those required slashes.

Any help will be greatly appreciate.

Answer 1

In my code i am using addslashes to escape certain characters while inserting them into the database and when i send some information out i use stripslashes to remove those slashes ...

You're doing it wrong. You must escape strings when you embed them in a query. You do not unescape data when it comes back from the database. There are no slashes to remove. They only exists in the query - not in the database.

Besides that, bound parameters/prepared statements are much better, as already noted by others in this thread.

Answer 2

You can try using PDO prepared statements when inserting to database so you don't need to worry about escaping anything.

Answer 3

I think it's better to use htmlspecialchars for escaping the data for database storage. You don't have to worry about restoring them after getting them from the database as they will be handled correctly by the browser.

Answer 4

You might want to try using mysql_real_escape_string. You don't have to unescape it, and it is safe for database use.

Better yet, use prepared statements