Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using mysql_real_escape_string to save content in my mySQL database. The content I save is HTML through a form. I delete and re-upload the PHP file that writes in DB when I need it.
To display correctly my HTML input I use stripslashes()
In other case, when I insert it without mysql_real_escape_string, I do not use stripslashes() on the output.
What is your opinion? Does stripslashes affect performance badly ?
Do not use
stripslashes(). It is utterly useless in terms of security, and there’s no added benefit. This practice came from the dark ages of “magic quotes”, a thing of the past that has been eliminated in the next PHP version.Instead, only filter input:
mysql_real_escape_string($data)(int)$data(float)$dataisset($data) && $dataThe output is a different matter. If you are storing HTML, you need to filter HTML against javascript.
Edit: If you have to do
stripslashes()for the output to look correctly, than most probably you have magic quotes turned on. Some CMS even made the grave mistake to do their own magic quotes (eg: WordPress). Always filter as I advised above, turn off magic quotes, and you should be fine.