Removing slashes from mysql_real_escape_string

[Canman2005]

Hi all

 

I'm doing some insert queries in PHP and I am using the followng to make the data being inserted SAFE

 

$full_nane = mysql_real_escape_string($_POST['full_name']);

 

I asume this is correct.

 

But in the database it's outputting for example

 

David\\\'s

 

So it's added 3 slashes, which I believe is right.

 

The problem comes when I output it, the 3 slashes remain, I have tried

 

stripslashes

 

but it just removes 2 of the 3 slashes

 

Any ideas?

[GKWelding]

This is because you have magic quotes enabled on your server I think. Use this instead:

 

<?PHP 
// Fix a $_POST variable called variable for MySQL 
$variable = $_POST['variable']; 
if (get_magic_quotes_gpc()) 
{ 
  // If magic quotes is enabled - turn the string back into an unsafe string 
  $variable = stripslashes($variable); 
} 

// Now convert the unsafe string into a MySQL safe string 
$variable= mysql_real_escape_string($variable); 

// $variable should now be safe to insert into a query 
?>

[Canman2005]

Nope, that didnt seem to fix it, anyone got any good ideas?

 

[CroNiX]

It won't fix it for values already in your database, but it should fix it for newly inserted ones.  Did you try it with new data?

[Canman2005]

Yep, tried it with new data, doesnt seem to work

 

I was told to declare mysql_real_escape_string to all variables when I insert them, to avoid any hacking of the database, so now I have tons of data with slashes in it.

 

If it's common practise to use declare mysql_real_escape_string when dealing with INSERTS & UPDATES, then how do people normally remove the slashes when viewing the data through a PHP page

[CroNiX]

It should remove it by itself when retrieving.  Are you using addslashes() as well?

Are you sure you are checking to see if get_magic_quotes_gpc() and then running stripslashes() ?  Your data is being escaped more than once or you wouldn't have "David\\\'s"