WebApp Sec mailing list archives
Re: SQL injection and PHP/MYSQL
From: Jan Pieter Kunst <jpk () akamail com>
Date: Wed, 10 Sep 2003 20:46:44 +0200
After using mysql_escape string to insert data into the database, is there an equal combination of unescaping one should do when the date is pulled from the database, or is a stripslashes() all that is necessary?
You shouldn't have to do a stripslashes() when you retrieve data from a MySQL database.
The slashes that are added to escaped data aren't themselves stored in the database. At least, the addslashes() ones aren't.
JP
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)