Login/Register
Mysql Real Escape String PHP Function Adding "\" to My Field Entry
Asked Answered
Solved phpmysqlmagic-quotes
H

3

5

I am submitting a form to my MySQL database using PHP.

I am sending the form data through the mysql_real_escape_string($content) function.

When the entry shows up in my database (checking in phpMyAdmin) all of my double quotes and single quotes are escaped.

I'm fairly certain this is a PHP configuration issue?

so:

$content = 'Hi, my name is Jascha and my "favorite" thing to do is sleep';
mysql_real_escape_string($content);
$query = 'INSERT INTO DB...'

comes up in my database as:

Hi, my name is Jascha and my \"favorite" thing to do is sleep

Who do I tell what to do? (I cannot access the php.ini).

Hornback answered 17/2, 2010 at 20:23 Comment(3)
Can you post the rest of your query?Fossiliferous
Try #173712Metronymic
Thank you akiller, I did a search for this question before posting it, i guess I was using the wrong phrasing.Hornback
J
5

You need to take magic quotes into account when retrieving request data. If get_magic_quotes_gpc() is true, then you need to run stripslashes() on the input. Best way would be to write a function for that. Something like:

function get_string($array, $index, $default = null) {
    if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
        return get_magic_quotes_gpc() ? stripslashes($value) : $value;
    } else {
        return $default;
    }
}

..which you can use as

$input = get_string($_POST, 'input');

..instead of

$input = $_POST['input'];

Do the same for trivial stuff like get_number(), get_boolean(), get_array() and so on.

Jolenejolenta answered 17/2, 2010 at 20:35 Comment(0)
T
6

If you are getting your $content data from a form (and not "as-is" in the PHP code), maybe you're having a problem because of Magic quotes (see magic_quotes_gpc)

Basically :

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically

If magic quotes are enabled (you can check this in the ouput of phpinfo(), for instance), you'll be getting that kind of "double escaping" :

  • Those characters will be escaped once by magic quotes,
  • And, then, they'll be escaped a second time by mysql_real_escape_string


The good solution, in this case, is not to stop using mysql_real_escape_string, but to disabled magic_quotes_gpc in your configuration...

... But, as you don't have access to it, you'll actually have to "revert" the effect of magic quotes, calling stripslashes on the input you're getting as $_GET and $_POST, before begining using it.

Note : it's an advice that's given on the manual page of mysql_real_escape_string (quoting) :

Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

Turne answered 17/2, 2010 at 20:30 Comment(2)
huhu ^^ not, there is not ^^ But glad you got a solution to your problem :-)Turne
So does that mean I'm stuck with inserting the data into my database with the slashes but I have to stripslashes() before displaying it on my page OR can I do a mysql_real_escape_string(stripslashes($_REQUEST['value'])) before I run the insert? Ahhh... just tested it. mysql_real_escape_string(stripslashes($_REQUEST['value'])) works.Geometry
J
5

You need to take magic quotes into account when retrieving request data. If get_magic_quotes_gpc() is true, then you need to run stripslashes() on the input. Best way would be to write a function for that. Something like:

function get_string($array, $index, $default = null) {
    if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
        return get_magic_quotes_gpc() ? stripslashes($value) : $value;
    } else {
        return $default;
    }
}

..which you can use as

$input = get_string($_POST, 'input');

..instead of

$input = $_POST['input'];

Do the same for trivial stuff like get_number(), get_boolean(), get_array() and so on.

Jolenejolenta answered 17/2, 2010 at 20:35 Comment(0)
N
-1

I know it is a little late, but as a noob to php I needed something really simple. So I am using this code below to fix the problem described by the OP with magic_quotes_gpc I have a server running php 5.2.8 and one running 5.3

My web app is using datatables.net to display information. I started getting JSON errors when data was saved with special characters escaped in the database.

My Development machine uses 5.3 where this wasn't neccesary, but with php 5.2.8 I needed to use the stripslashes function in order to save the values to my database.

$description = mysql_real_escape_string($description);
// hack for php 5.2.8 //
if (get_magic_quotes_gpc()) {
     $description = stripslashes($description); 
     //echo "description: $description";
    }

I realize this is basically the same answer as above, but for me it seemed more my style. Hopefully this will help others in the same boat as I am.....

Nagey answered 16/7, 2010 at 5:43 Comment(1)
stripslashes should never be used in the same place with mysql_real_escape_string. latter one is database related while first one is input related.Reposit

© 2022 - 2024 — McMap. All rights reserved.