Home/ Questions/Q 6127613
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T16:31:51+00:00

It is said that in order to prevent from SQL injection one should filter

  • 0

It is said that in order to prevent from SQL injection one should filter the input data eg. with addslashes or mysql_real_escape_string depending on used connection modules

However, data escaped with addslashes is being saved into the database WITH the slashes, so a user surname would save as O\’Reilly instead O’Reilly. The one needs to use stripslashes to display it correctly.

So how do I use addslashes and save into the database without slashes? Is it actually the way it should be done?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You DONT use addslashes you use the appropriate DB specific escaping function like mysql_real_escape_string.

    if you are using PDO then using a prepared statement will escape the variables as part of binding process. In this case all you need to do is something like:

    $pdo = new PDO($dsn, $user, $name);
$stmt = $pdo->prepare('INSERT INTO your_table (col1, col2,col3) VALUES (?, ?, ?)');
$stmt->execute(array('value 1', 'value 2', 'value 3');

    OR for extra readability and esier reuse you can use named params:

    $pdo = new PDO($dsn, $user, $name);
$stmt = $pdo->prepare('INSERT INTO your_table (col1, col2,col3) VALUES (:col1, :col2, :col3)');
$stmt->execute(array(':col1' =>'value 1', ':col2' =>'value 2', ':col3' =>'value 3');
    • 0