Possible Duplicate:
Using stripslashes after mysql_real_escape_string
I have been reading most recently about prevention of SQL injection and I am trying to develop some sense of understanding between the different functions so that I can learn the basics.
I have read about mysql_real_escape_string and I understand that it is basically escaping characters which it deems “special” so that it is not confused for SQL syntax?
Now, assuming that is at least to some degree true – is there a need to use the stripslashes function combined with the mysql_real_escape_string? I’m wondering about what stripslashes is and what it is for.
If you use
stripslasheson input right after usingmysql_real_escape_string, you will effectively undo it. There are probably other reasons to usestripslashes, but in my case I have only ever needed it to undo the horror that is magic quotes. It’s actually the opposite ofaddslashes.addslashesdoes not necessarily escape input the same asmysql_real_escape_stringdoes, and they cannot be used for the same purpose.Even better than
mysql_*, you should read up on using prepared statements like inPDO. Then you don’t even have to worry aboutmysql_*orstripslashes(except for magic quotes).