Suppose you have the following:
<?php
$connection = mysqli_connect("host", "root", "passwd", "dbname");
$habits = mysqli_real_escape_string($connection, $_POST['habits']);
?>
Lets say you entered, for a field called 'habits', the value 'tug o' war'. Therefore, the mysqli_real_escape_string function will escape the second quote symbol and the database engine won't be fooled into thinking that the value is 'tug o'. Instead, it will know that the value is actually 'tug o' war'. My question is, why then do you need a stripslashes function? A stripslashes function will simply strip away the good work that was done by the mysqli_real_escape_string function. Stripping away a backslash will simply return you to where you were, and the database will be fooled again. Am I to assume that the stripslashes function is NOT used for database purposes? That is, would this piece of code be completely nonsensical?:
<?php
$connection = mysqli_connect("host", "root", "passwd", "dbname");
$habits = mysqli_real_escape_string($connection, $_POST['habits']);
$undosomething = stripslashes($habits);
echo '$undosomething';
?>
If stripslashes is NOT used for database purposes, what exactly is it used for?
Per the Manual, the purpose of stripslashes() is to unquote a quoted string, meaning to remove a backslash quoting a character. Note, PHP lacks a character data type, so all single characters are strings. You may wish to peruse this example code which demonstrates that this function leaves forward slashes as well as escape sequences involving non-printable characters unaltered. Stripslashes() arose to counter excessive quoting caused by a feature that PHP formerly supported: magic quotes.
In the early days of PHP when Rasmus Lerdorf worked with databases that necessitated escaping the single quote character, he found a way to avoid the tedium of manually adding a backslash to quote or escape that character; he created magic quotes:
... useful when mSQL or Postgres95 support is enabled
since ... single quote has to be escaped when it is
part of [a] ... query ...
(See php.h in PHP/FI [php-2.0.1] )
While magic quotes saved developers from having to use addslashes(), this feature could automatically quote inappropriately. A form's input with a value of O'Reilly would display as O\'Reilly. Applying stripslashes() fixed that issue. Though stripslashes() lived up to its name and stripped away backslashes, it was inadequate for addressing all the problems associated with magic quotes, a feature that would ultimately be deprecated in PHP5.3 and then removed as of PHP5.4 (see Manual).
You may view quoted data if you are still using a version of PHP that supports magic quotes. For example, consider the case of a $_GET variable that originates from a JavaScript containing a url-encoded string, as follows:
location.href="next_page.php?name=O%27Riley"; // $_GET['name'] == O\'Riley
If you were to apply to $_GET['name'] either addslashes() or mysqli_real_escape_string(), this variable's value would expand, containing two more backslashes, as follows:
O\\\'Riley
Suppose the variable were next used in an insert query. Normally the backslash of a quoted character does not get stored in the database. But, in this case, the query would cause data to be stored as:
O\'Riley
The need for stripslashes() is much less likely nowadays, but it's good to still retain it. Consider the following JavaScript, containing a flagrant typo:
location.href="http://localhost/exp/mydog.php
?content=My%20dog%20doesn\\\\\\\\\\\\\%27t%20
like%20to%20stay%20indoors."
Using stripslashes(), one may dynamically correct the code as follows:
function removeslashes($string)
{
while( strpos( $string, "\\" ) !== FALSE ) {
$string = stripslashes( $string );
}
return $string;
}
$text = htmlentities($_GET['content']);
if (strpos($text,"\\") !== FALSE ) {
echo removeslashes( $text );
}
Note: stripslashes() is not recursive.
There is no point to stripslashes().
Some folks used to think this provided them security, but as you can see it does not. It should be removed from PHP completely, but it hasn't been.
It still has it's uses. It's not really used with a database but even with this, there are use cases. Let's assume, or send data from form using JavaScript and you have a string with a quote such as "It's". Than getting the value through the $_GET supervariable, you'll get the value "It\'s". If you than use mysqli_real_escape_string() or similar (which you must use for security), the quote will be double encoded and the backslash will be saved to the DB. For such scenarios, you would use this function. But it is not for security and not necessarily used with a DB.
mysqli_real_escape_string and stripslashes Does not sql injection provide protection. Use Prepared Statements. Example Code.
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "my_database");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
/* Prepared statement, stage 1: prepare */
if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
$id = 1;
if (!$stmt->bind_param("i", $id)) {
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
?>
addslashes():
w3schools.com - function returns a string with backslashes in front of predefined characters.
php.net - Quote string with slashes
stripslashes():
w3schools.com - function removes backslashes added by the addslashes() function.
php.net - Un-quotes a quoted string
<?php
$str = "Who's Peter Griffin?";
echo $str . " This is original string." . PHP_EOL;
echo addslashes($str) . " This is addslashes string." . PHP_EOL;
echo stripslashes(addslashes($str)) . " This is stripslashes string." . PHP_EOL;
?>
Embed PHP online:
body, html, iframe {
width: 100% ;
height: 100% ;
overflow: hidden ;
}<iframe src="https://ideone.com/2DNzNJ"></iframe></div>