WebApp Sec mailing list archives

Re: SQL injection and PHP/MYSQL

From: Jan Pieter Kunst <jpk () akamail com>
Date: Wed, 10 Sep 2003 20:46:44 +0200

After using mysql_escape string to insert data into the database, is there
an equal combination of unescaping one should do when the date is pulled
from the database, or is a stripslashes() all that is necessary?

You shouldn't have to do a stripslashes() when you retrieve data froma MySQL database.

The slashes that are added to escaped data aren't themselves storedin the database. At least, the addslashes() ones aren't.

JP

Current thread:

SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
  - Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
    - Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
    - Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)