How would i add slashes to the following so that it can be used to enter a url into a database?
[php]
$web_link = mysql_escape_string(trim($_POST[‘web_link’]));
if ( empty($web_link) ) {
$valid = 0;
$web_link_error = ‘Required Field.’;
[/php]
Thanks,
Andrew
I’ve tried the following
[php]
$web_link = addslashes($_POST[‘web_link’]);
if ( empty($web_link) ) {
$valid = 0;
$web_link_error = ‘Required Field.’;
}
[/php]
But now it just doesn’t add any url i enter to the database.
Can you show an example of a URL that won’t go into the database?
mysql_real_escape_string() is generally used to make user input safe for inclusion in a SQL query to be executed in MySQL. addslashes() is usually a last resort, and htmlspecialchars() should be used when outputting user input to the client.
mysql_real_escape_string() is generally used to make user input safe for inclusion in a SQL query to be executed in MySQL. addslashes() is usually a last resort, and htmlspecialchars() should be used when outputting user input to the client.
Just curious, but where did read or see that using addslashes() was usually a last resort? Furthermore, why would I only use htmlspecialchars() when outputting user input to the client?
In retrospect I would have to agree using mysql_escape_string() in this case would probably be better suited for the job.
Use the right tool for the right job 
PHP has how many functions built in? Hundreds, if not thousands. For literally ANYTHING there’s a function prepared.
If you want to put a string of characters from the clientside (GET, POST, COOKIE) into a SQL query, why would you want to use addslashes() (or htmlspecialchars()) when mysql_real_escape_string() (or any similar function for different database engines) is available? Addslashes() does not provide a completely secure way of making user input safe for use in queries, and neither does htmlspecialchars().
Htmlspecialchars() makes possibly unsafe input safe for outputting to a publicly viewable page. For example, it disarms XSS attempts (thought that was htmlspecialchars() at least, or perhaps htmlentities()).
Addslashes() is a generic function that can be used in many cases, but should NEVER be relied on when trying to make user input ‘safe’ for processing.
i have to agree with Zyppora.
of cause there is no difrence in this example, but what happens if sombdy uses addslashes together with like. we know that there is a diffrence, but other people are actually reading this to learn how to do things.
of cause we all are still posting unsecure code in here, as most of the code is just an example, but it’s alway good if somebody mentions the better/saver way to do the same.
habe fertig
Yes, I do agree with Zyppora, but I just felt that it was a little strong terminology to state “Last Resort” as if there was some documentation on standards in PHP on how to use these functions, that I missed. As I been writing PHP for over 6 years and actually went to college for it and currently working for a company where our applications have to match the Departments of Defenses standards and be compliant to their level and have used of these functions a few times.
Let me stress, I do agree with Zyppora, mysql_real_escape_string() is better tool for this job, just didn’t think of it at the time of posting. Furthermore, I didn’t mind he posted that mysql_escape_string is better, happy actually, as he provided better solution.
Just thought that it was made to sound like you never want to use addslashes() and as Q1712 stated we do need to give the best information possible.
Please mind that I do not discourage the use of addslashes(), especially in custom usage of user input it may help your script and the security around it greatly (for example, I’m not sure if there’s a standard function to use to make user input safe for writing to a remote file). Especially for inclusion in SQL queries, or outputting to clientside, there are functions that better fit the job though.
Maybe ‘last resort’ was a bit overkill for what addslashes() is, humble apologies for that 