[nycphp-talk] SQL injection and stripslashes
Charles Collicutt
charles.collicutt at holyblasphemy.org
Thu Aug 3 08:07:03 EDT 2006
Kenneth Downs wrote:
> The backslash is not stored in the database. It tells the database that
> the apostrophe (technically: single-quote) is not an endquote, and that
> the single-quote is part of the column's value. The database discards
> the backslash and stores the single-quote as part of the value. When
> you retrieve it, you get the value without the backslash.
Ah, thanks. I thought that only applied if I was using the same
delimiter around the string (i.e. it would work with 'it\'s fine' but
not with "it\'s fine") but I was wrong, that works for both. I'm sure
I've ended up with strings from databases with annoying backslashes in
them before but that must have been on a server with magic quotes turned
on or something.
Thank you very much for clearing that up for me.
--
Charles
More information about the talk
mailing list