Jump to content

[SOLVED] magic quotes problem??

dumdumsareyum

By dumdumsareyum
in PHP Coding Help

Recommended Posts

dumdumsareyum Member

dumdumsareyum

Posted
Posted

i'm having an issue, I think it's with magic quotes.

 

I'm letting a user save a search, and give it a name and the search criteria and name are stored in a mysql database. I am using this function on the incoming data:

 

<?php
function Mod_mysqliEscape ($cxn, $string)
{
   if (get_magic_quotes_gpc()==1)
    {
      $string = trim(strip_tags($string));
      $string = stripslashes($string);
      $string = mysqli_real_escape_string($cxn, $string);
      return ( $string );
    }
   else
    {
    $string = trim(strip_tags($string));
    return ( mysqli_real_escape_string($cxn, $string) );
    }
  }
?>

 

It seems to be going into the database just fine even when quotes are used in the search name.  Also, when I output the data here:

echo "<h2>My Saved Searches</h2>";
     $sql = "SELECT * from savedSearches WHERE member_id = '$member_id'";
     $resultSearch = mysqli_query($cxn, $sql) or die("Could not execute query");
     echo "<ul><form name='removePlan' action='myAccount.php' method='POST'>";
     while($rowSearch = mysqli_fetch_assoc($resultSearch))
   {
        extract($rowSearch);
        echo "<li><input type='checkbox' name='removeSavedSearch[]' value='$searchName'>
                 <a href='search.php?$queryString'>$searchName</a>
              </li><br />";
       }
     echo"</ul>
          <input type='hidden' name='member_id' value='$member_id'>
          <input type='submit' value='Delete Searches'>
          </form>";

 

it shows up with the quotes just fine.

The problem is when I try to use the 'removeSavedSearch' array to find that search in the database the quotes are obviously interfering...

ie.  when it's supposed to be matching 'Find "my" search'  it tries to match 'Find '. (based on echoing the received variable back out)....I've tried running it through the same function I used at first for magic quotes, or adding slashes, or using straight mysqli_escape_real_string before searching the database......nothing seems to be working. Any suggestions? Thanks in advance

Link to comment
https://forums.phpfreaks.com/topic/102318-solved-magic-quotes-problem/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Quotes (and <, >, &) have special meaning in HTML. So, when you output the quote in a form field or a link, any quotes in it are operated on by the browser. This usually results in the content being cut off at that first quote.

 

What you need to do is use htmlentities() with the ENT_QUOTES second parameter on any content you output to the browser that you want to be treated as just characters and not operated on. Then use html_entity_decode() on the content you receive to convert any special html characters back to what they actually are.

 

In your example, 'Find "my" search' will be converted to 'Find "my" search'

 

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.