Reputation: 270
Insert strings with apostrophes into database by php
I want to post data into database in safe mode. For example if i want to add this title to database:
$title = " here is title 'here is title' here is title ";
notice it has apostrophes.
I use this function to make string safe:
function stringsafe($string)
{
$string = strip_tags(trim(addslashes($string)));
return $string;
}
as you see it's adding slashes before apostrophes to make it safe.
I tried to remove slashes when i show the data by stripslashes, it's working but it's has some problems. Is there anyway to post data into database?
Upvotes: 0
Views: 426
Answers (1)
Reputation: 8059
On a side note, in fact the general rules of thumb is that, you shouldn't alter user input at all. You should store whatever user input as it is, into your database, so that you can retain user input as original as possible, and only escape it when you need to display or use it.
In your case, yes you are right you have to prevent it from being injected, but you are altering the original input by adding slashes into the original input, which is not very favoured. What if my title contains a string like this <My 21st Birthday Party!> and you stripped it away?
Try using Prepared Statements instead so you can insert any data into your database, without the worries of injection. And only when you need the data to be displayed on a HTML page or console, you escape them accordingly such as htmlentities.
Upvotes: 2
Related Questions
- How can I sanitize user input with PHP?
- Reference - What does this error mean in PHP?
- Insert into a MySQL table or update if exists
- Pretty-Printing JSON with PHP
- What is the difference between single-quoted and double-quoted strings in PHP?
- Storing values with apostrophes in the database
- Addslashes, mysql_real_escape always adding two slashes?
- PHP: POST data + apostrophes
- Escaping using slashes and then using stripslashes PHP