[SOLVED] Magic quotes and Mysql_real_escape_string question

[Prodigal Son]

Sometimes magic quotes is really annoying. But I always have it on my localhost. I don't really get this. If I insert some text into my database with mysql_real_escape_string, something like:

hey's will turn to hey\'s.

Am I supposed to stripslashes data I get from a database? If I select that data hey\'s from the database and display it on a page, it shows as hey's, but sometimes it shows as hey\'s, which I don't really understand.

So I do a check for if magic quotes is on and if it is, I stripslashes, which works fine, but I never had to do that before. Or is that correct and it should show with the backslash?

[dannyb785]

You need to turn off magic quotes in your .htaccess file by adding 'php_flag magic_quotes_gpc off'

 

If that doesn't work(depending on the version of php installed), I think you may be able to modify it in your php.ini, otherwise you need to contact your hosting provider and tell their technical support. they should know how to fix it. I hate magic quotes and pretty much every blog or article about them I've read says you should disable them. It's not adequate enough.

[Lodius2000]

strip slashes wont hurt becuase if there are no slashes to strip, magic quotes wont do anything

 

though i thought magic quotes was only for db input, not output

[Prodigal Son]

This is on my localhost. But I'm not really asking how to disable it, I'm just wondering if what's happening is correct right now? If you have "hey\'s" in your database and echo it onto a page, is it supposed to be "hey's" or "hey\'s". Because I've never had to use stripslashes on anything I echoed from my db before. It just removes the slashes for me.

[PFMaBiSmAd]

You cannot unconditionally apply stripslashes() because if there is a \ as part of the data and magic_quotes are not on, any \ that should be there would be removed.

 

If you cannot turn off the magic_quotes_gpc setting in the master php.ini, a .htaccess file (when php is running as an Apache module), or in a local php.ini (when php is running as a CGI wrapper), you must test if it is on and only use stripslashes() on external data (post/get/cookie) if it is on.

 

If you cannot turn off the magic_quotes_runtime setting as listed above, then you can turn it off in your script.

 

Edit: When you put escaped data into a query string, the escape \ is not inserted into the database. If there are \'s in the database, it means that the data was escaped twice.

[Prodigal Son]

Edit: When you put escaped data into a query string, the escape \ is not inserted into the database. If there are \'s in the database, it means that the data was escaped twice.

Oh I see... What are usually common causes for something being escaping twice? I have a function that checks if magic_quotes is on, and if it is I stripslashes, but I only do this for post output usually. If magic quotes is on am I supposed to stripslashes before inserting into the db? It's weird because I haven't changed anything, just started seeing slashes now.

[Prodigal Son]

Ah I'm an idiot, seems to work normal now. I always stripped the slashes afterwards, not before lol.