Jason Wisely Jason Wisely - 4 months ago 8
MySQL Question

PHP MySQL how to transition database input from stripslashes to parameters

I'm trying to update an old program that uses regular MySql queries, runs all the inputs through

addslashes()
prior to inserting them, and runs the retrieved data through
stripslashes()
before returning it. I'm trying to update the program to run with Mysqli and use prepared statements, but I'm not sure how to make the transition with the existing data in the database.

My first thought was to write a function to test if slashes have been added, but the general consensus in the answers to similar questions I found was that this isn't doable.

I'm trying to avoid doing a mass update to the database, because it's an open source program and this seems likely to potentially cause problems for existing users when they try to upgrade.

If I continue to use
addslashes()
prior to inserting using MySqli and prepared statements would this work? What would be the reasons for not doing it this way and instead going the full database upgrade route?

Edit:

Based on a comment that appears to be deleted now, I went and looked at the database directly. All I could find was an
'
that had been converted to
'
and no slashes. When I pulled out the data it came out fine without running
stripslashes()
. So do the added slashes just tell mysql to escape the data when it's inserted? Will all the data come out find if I remove the
stripslashes()
? If so what's the point of
stripslashes()
?

Answer

You have several questions:

If I continue to use addslashes() prior to inserting using mysqli_ and prepared statements would this work?

No, it would not: the added backslashes would then be stored in your database, which is not what you want. In prepared statements the provided arguments are taken literally as you pass them, as in that mechanism there is no more need to escape quotes.

What would be the reasons for not doing it this way and instead going the full database upgrade route?

See above.

So do the added slashes just tell MySql to escape the data when it's inserted?

The added slashes are interpreted when you embed a string literal in your SQL, as that necessarily is wrapped in quotes. For example:

$text = "My friend's wedding";

$sql = "INSERT INTO mytable VALUES ('$text')";
$result = mysqli_query($con, $sql);

The mysqli_query will fail, as the SQL statement that is passed to it looks like this:

INSERT INTO mytable VALUES ('My friend's wedding')

This is not valid SQL, as the middle quote ends the string literal, and so the s that follows is not considered part of the string any more. As the SQL engine does not understand the s (nor wedding and the dangling quote after it), it produces a syntax error. You can even see something is wrong in the way the syntax is highlighted in the above line.

So that is where addslashes() is (somewhat) useful:

$text = "My friend's wedding";
$text = addslashes($text);
$sql = "INSERT INTO mytable VALUES ('$text')";
$result = mysqli_query($con, $sql);

This will work because now the SQL statement sent to MySql looks like this:

INSERT INTO mytable VALUES ('My friend\'s wedding')

The backslash tells MySql that the quote that follows it has to be taken as a literal one, and not as the end of the string. MySql will not store the backslash itself, because it is only there to escape the quote (see list of escape sequences in the documentation).

So in your table you will get this content inserted:

My friend's wedding

Then:

Will all the data come out fine if I remove the stripslashes()?

Yes. In fact, it should never have been in your code in the first place, as it will negatively effect what you get when there truly are (intended!) backslashes in your data. You are maybe lucky that a backslash is a rare character in normal text. Apparently you have not found any backslash in your database data, so it probably did not badly affect you until now. It is an error to think that the addslashes() call during the saving of data had to be countered with a stripslashes() call while reading the data, because, again, MySql had already removed them while writing the data into the database.

If so what's the point of stripslashes()?

There is no point in the context of what you are doing. It only is useful if you have received somehow a string in which there are characters that have a backslash before them, and have the meaning to escape the next character when the string is used in some context. But since you only briefly have such strings (after calling addslashes()) and MySql interprets these escapes by removing the backslashes in the written data, you never again see that string with the additional backslashes.

Situations where you would need stripslashes() are very rare and very specific. For your scenario you don't need it.