Minus the whole addslashes() vs mysqli_real_escape_string() argumentation will stripping then adding slashes guarantee sql injection invulverability? Will this a开发者_运维知识库lter the data in anyway, for example displaying the string with double slashes after fetching it from the database?
so what you want to do is
$input='bla" SELECT * FROM blabla"';
$escaped=stripslashes(addslashes($input));
in that case
$input==$escaped is true
so no this would probably do nothing thats why you should prefer mysql_real_escape_string
Escaping characters (addslashes()) may protect you from SQL Injection. I'm not an expert on how to sanitize inputs, and here's why:
I skipped the whole "sanitizing" thing and went straight to prepared statements. Sanitizing / escaping means you have to do the reverse on the output side, which means double the effort every time, and double the chances to mess up somewhere - allowing bad input in. If you just plop the PDO between every database query you do and the database itself, your worries are over.
That's not to say, of course, that the PDO protects you from attacks like CSRF or XSS, but the actual stored values are SQL-injection-safe, and you can strip html or whatever you need to do before you store it to protect from attacks like those.
NO use: mysql_real_escape_string.
Why: you are not considering a ton of issues, mainly encoding of strings, etc...
No, having the right amount of slashes helps with some vulnerabilities, but you still need to check user input. There is no guarantee sql injection invulnerability, ever.
addslashes() will protect you in most cases. As for the getting the output, it depends how your submitting it, if you do
$input = addslashes("Bob's shoes")
you'll get Bob\'s shoes.
When you put this in your database
insert into tbl (txt) values (Bob\'s shoes)
The output of
select txt from tbl
will be Bob's shoes as you intended, the slashes are removed by the sql on insert.
If your anal about it you can say add other precautions, but if you want a quick and easy thing that's not a ridiculously secure website it should be fine. there's also built in php sanitize functions if you look them up
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论