stripslashes vs. eregi_replace

registered · Posted: Sun Sep 24, 2006 4:23 pm

There's a few mods out there that use stripslashes in sections that allow comments and such. I'm pretty much just learning how to write mods myself and have found that stripslashes won't let you use apostropies if the entry is going to a database entry. A good example is EDL...if you use an apostrophe in the description the entire entry won't be saved.

So, to offset this, I have been changing the stripslashes to eregi_replace to allow apostrophies in the entries. I am almost positive this is the wrong way to accomplish what I want. It works but I'm not sure if I've compromised any security.

Thanks for any input on these.

registered · Posted: Sun Sep 24, 2006 7:53 pm

Do not use stripslashes.. it does not provide any security.

For database entry for apostreophes, use addslashes

Regular Joined: Jun 02, 2004 Posts: 88

Look at the topic about Filtering.... Earlier I posted some code for an Input Filtering system, which is basically what you are needing. This system covers what you are asking.

Database inputs should be filtered and escaped. "Escaped" means that certain characters need to have a backslash added in front of them before being stored in a database.

Changing stripslashes to eregi_replace is one big no-no..... and is really comparing apples to oranges. Those functions have 2 entirely different purposes and uses.

Go to php.net and read about the following:

addslashes
stripslashes
magic_quotes_gpc
mysql_real_escape_string

Posted: Sun Sep 24, 2006 8:00 pm

Good to know. Thank you Evaders.

The reason I replaced stripslashes tho is because I couldn't find a combination of commands to not have to use a backslash or double apostrophies. So I commented out the stripslashes line and added eregi_replace("/'","" etc etc to get the backslashes in there.

Thanks for the info hog. I'll check out your post.