quotes and apostrophes

jbagley · February 23 '05, 07:14 AM (#1)

What is the best way of handling them when it comes a Database driven application?

I know the methods used are stripslashes and addslashes, but what is best practice? Do you add the slashes before you insert into the database and then strip them before you print it out to the screen?

Is there a better or faster way of doing it?

**rosland** · February 23 '05, 08:14 AM (#2)

Quote:

Originally Posted by jbagley

Do you add the slashes before you insert into the database and then strip them before you print it out to the screen?

Yes.

Quote:

Originally Posted by jbagley

Is there a better or faster way of doing it?

None that I can think of.

jbagley · February 23 '05, 08:25 AM (#3)

Ok, cool. Thanks Rosland. I was just checking I was doing it the right way...

visualAd · February 24 '05, 04:39 PM (#4)

Quote:

Originally Posted by jbagley

What is the best way of handling them when it comes a Database driven application?

I know the methods used are stripslashes and addslashes, but what is best practice? Do you add the slashes before you insert into the database and then strip them before you print it out to the screen?

Is there a better or faster way of doing it?

Its a googd idea to check whether magic quotes is turned on, otherwise you run the risk of escaping your string twice. Something like this:

PHP Code:


			
function stripslashes_safe($string)

{

    /* why the space in the $stirng variable I don't know, 

       but the forum software insists on putting it there */

    return get_magic_quotes_gpc()?$string:stripslashes($string);

}

Its also worth noting that some database management systems have different methods for escaping quotes. MS for example uses a '' to escape a quote.

jbagley · March 8 '05, 05:39 AM (#5)

I need some help implementing a solution to escape apostrophes and quotations.

I am running MSSQL.

PHP Code:


			
$first = addslashes(trim(@$_POST['firstname']));

This is the code I am using. If I use single quotes(') it prints this out: jason\'s, and it fails.

But if I use double quotes(") It works and prints this out: jason\"s. Here is the insert statement:

PHP Code:


			
$sql = "INSERT INTO ClientContact 

        (CDLID, first, surname, cellno, email, field1, field2, field3) 

        VALUES 

        (".$_SESSION['CDLID'].",'".$first."','".$surname."','".$cellno."','".$email."','".$field1."','".$field2."','".$field3."')";

I need a solution for both single and double quotes to work

Thanks in advance
P.S. Ive turned magic quotes off.