[SOLVED] Quick question on escaping data into a mysql database

[Someone789]

Hi,

 

Firstly, I'm rather new to MySQL.

 

I've been reading up on the correct way to go about escaping data entered into a database from the $_POST variable, but am in need of a bit of clarification.

 

I have the following piece of code which takes a user submitted name and enters it into a database:

$user = mysql_real_escape_string($_POST["user"]);

 

mysql_query("INSERT INTO accounts (date, name, stats)

VALUES ('Jan 1', '$user', '546065')")

or die(mysql_error());

 

As a test, I typed in the following to be submitted as my username:

Joe's Name

 

After taking a peek in the database using phpMyAdmin, here is what it got inputted as:

Joe\'s Name

 

I've been reading up on escaping data, and apparently it's not good practice to have the escaped slashes appearing directly within the database? If so, then how do I process data insertions without filling my database with so many ugly escaped "/" marks, while still maintaining the security gained from using mysql_real_escape_string()?

 

Or am I already doing it the correct way and it's just normal to have a database filled with the escaped slash marks?

 

Note: Magic quotes are Off.

 

Advice would be greatly appreciated, thanks!

[trq]

Note: Magic quotes are Off.

 

Thats not what it looks like. Magic quotes escapes (by adding backslashes) all $_POST and $_GET data automatically. This means by the time you run your data through mysql_real_escape_string it already has slashes in it. Try using stripslashes prior to mysql_real_escape_string.

[MadTechie]

Try this code

<?php
echo (get_magic_quotes_gpc())?"thorpe is correct Magic Quotes are ON":"Someone789 hasn't given use the correct script because Magic Quotes are OFF";
?>

 

 

[Someone789]

Thanks - Heh, I see..I'm afraid it appears that magic quotes are indeed ON somehow. :\

 

Yet here is what the magic quotes part of my php.ini file looks like:

 

; Magic quotes for incoming GET/POST/Cookie data.

magic_quotes_gpc = Off

 

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.

magic_quotes_runtime = Off   

 

; Use Sybase-style magic quotes (escape ' with '' instead of \').

magic_quotes_sybase = Off

 

magic_quotes_gpc was actually On this morning, but I recently turned them Off after reading about how it was better practice to just turn them Off and remember to escape the data everywhere yourself.

 

Regardless, even with magic quotes set Off in the php.ini file - I'm still getting the same problem of escaped slash marks appearing in the database.

 

I'd rather not have to use stripslashes() everywhere, and instead get this problem solved at the root - so would anyone have any idea why magic quotes seem to be On yet are set to Off in the php.ini file?

 

Note: My site is running on a paid hosting website using C panel 11 if there's something in there that might help.

 

Thanks in advance!

 

 

 

 

 

[premiso]

Did you reboot APACHE since you turned off the quotes. If not restart the apache service, that should work.

[Someone789]

Aha, guess that did it as it's all working perfectly now..Thanks all!