Addslashes() not working properly

TGWSE_GY · September 23, 2009

Hi guys,

I am working on this script and it doesn't seem to be adding slashes to the content before it inserts into the database and it is taking special characters like ' and changing them to ? can someone help me please?

Here is my code

<?php

$dbhost = "***********";
$dbuser = "***********";
$dbpass = "***********";
$dbname = "innonmainnj";

$tblrooms = "rooms";
$tbllocations = "directions";
$tblhome = "home";
$tblaccommodations = "accommodations";
$tblreservations = "reservations";
$tblrestaurant = "restaurant";

mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error());
mysql_select_db($dbname) or die(mysql_error());


$identity = $_POST['identity'];

if($identity == "1"){

	$description = addslashes($_POST['accommodations']);
	$query = "UPDATE accommodations SET column2='$description' WHERE id=1";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3");

}elseif($identity=="2"){
	$content = addslashes($_POST['content']);
	echo $content;
	die();
	$promotitle = addslashes($_POST['promotitle']);
	$promo = addslashes($_POST['promo']);
	$address1 = addslashes($_POST['address1']);
	$address2 = addslashes($_POST['address2']);
	$phone = addslashes($_POST['phone']);
	$query = "UPDATE `home` SET content='$content', promotitle='$promotitle', promo='$promo', address1='$address1', address2='$address2', phone='$phone' WHERE  id= '1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=1");

}elseif($identity=="3"){

	$north = addslashes($_POST['north']);
	$south = addslashes($_POST['south']);
	$west  = addslashes($_POST['west']);
	$query = "UPDATE `directions` SET  north='$north', south='$south', west='$west WHERE id='1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3");

}elseif($identity=="4"){

	$content = addslashes($_POST['description']);
	$phone1 = addslashes($_POST['phone1']);
	$phone2 = addslashes($_POST['phone2']);
	$email = addslashes($_POST['email']);
	$specialtitle = addslashes($_POST['specialtitle']);
	$special = addslashes($_POST['special']);
	$query = "UPDATE `reservations` SET  content='$content', phone1='$phone1', phone2='$phone2', email='$email', specialtitle='$specialtitle', special='$special' WHERE  id='1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=4");

}elseif($identity=="5"){

	$dinner = addslashes($_POST['dinner']);
	$lunch = addslashes($_POST['lunch']);
	$brunch = addslashes($_POST['brunch']);
	$query = "UPDATE `restaurant` SET  dinner='$dinner', lunch='$lunch', brunch='$brunch' WHERE  id='1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=5");

}elseif($identity != 1){
	if($identity != 2){
		if($identy != 3){
			if($identity != 4){
				if($identity !=5 ){
				    
					$description = $_POST['description'];
					$cost = $_POST['cost'];
					$query = "UPDATE `rooms` SET  description='$description' cost='$cost' WHERE  roomnumber='$identity'";
					mysql_query($query) or die(mysql_error());
					header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=$identity");
				}
			}
		}
	}
}
?>

Thanks Again.

trq · September 23, 2009

Firstly, what makes you believe its not adding the slashes? Secondly, you should be using mysql_real_escape_string instead of addslashes anyway.

PFMaBiSmAd · September 23, 2009

Slightly off topic, but you might want to consider using a switch/case statement instead of multiple if/elseif statements as it will make adding options easier and provides a default statement to directly handle cases where the value is not one of the ones being tested.

TGWSE_GY · September 23, 2009

Thanks PFMaBiSmAdj thanks for the pointer I had it that way but I needed the nested if statements to test.

Thanks thorpe I was just always told to you use addslashes() and stripslashes() when do mysql and it has always worked up until this point. And I wasn't "THINKING" that it wasnt working I knew it wasnt because special characters where being converted to question marks (?). So what is the reverse of the real_escape_string() will strip slashes still work to remove them?

Thanks

trq · September 23, 2009

You don't need to reverse mysql_real_escape_string, just like addslashes it is simply used to escape special chars as data is inserted into the db. mysql_real_esacpe_string escapes more precisely than addslashes however.

Of course you should still apply stripslashes to your data before using either addslashes or mysql_real_escape_string if you have magic_quotes_gpc enabled (which you shouldn't).

TGWSE_GY · September 23, 2009

Ok thanks

TGWSE_GY · September 23, 2009

Now when things are being returned from the db where there was comma there is a forward slash now that I am using mysql_real_escape_string(). What am I doing wrong.

here is my new code

<?php
mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error());
mysql_select_db($dbname) or die(mysql_error());


$identity = $_POST['identity'];

if($identity == "1"){

	$description = mysql_real_escape_string($_POST['accommodations']);
	$query = "UPDATE accommodations SET column2='$description' WHERE id=1";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3");

}elseif($identity=="2"){
	$content = mysql_real_escape_string($_POST['content']);
	$promotitle = mysql_real_escape_string($_POST['promotitle']);
	$promo = mysql_real_escape_string($_POST['promo']);
	$address1 = mysql_real_escape_string($_POST['address1']);
	$address2 = mysql_real_escape_string($_POST['address2']);
	$phone = mysql_real_escape_string($_POST['phone']);
	$query = "UPDATE `home` SET content='$content', promotitle='$promotitle', promo='$promo', address1='$address1', address2='$address2', phone='$phone' WHERE id= '1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=1");

}elseif($identity=="3"){

	$north = mysql_real_escape_string($_POST['north']);
	$south = mysql_real_escape_string($_POST['south']);
	$west  = mysql_real_escape_string($_POST['west']);
	$query = "UPDATE `directions` SET  north='$north', south='$south', west='$west' WHERE id='1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3");

}elseif($identity=="4"){

	$content = mysql_real_escape_string($_POST['description']);
	$phone1 = mysql_real_escape_string($_POST['phone1']);
	$phone2 = mysql_real_escape_string($_POST['phone2']);
	$email = mysql_real_escape_string($_POST['email']);
	$specialtitle = mysql_real_escape_string($_POST['specialtitle']);
	$special = mysql_real_escape_string($_POST['special']);
	$query = "UPDATE `reservations` SET  content='$content', phone1='$phone1', phone2='$phone2', email='$email', specialtitle='$specialtitle', special='$special' WHERE  id='1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=4");

}elseif($identity=="5"){

	$dinner = mysql_real_escape_string($_POST['dinner']);
	$lunch = mysql_real_escape_string($_POST['lunch']);
	$brunch = mysql_real_escape_string($_POST['brunch']);
	$query = "UPDATE `restaurant` SET  dinner='$dinner', lunch='$lunch', brunch='$brunch' WHERE  id='1'";
	mysql_query($query) or die(mysql_error());
	header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=5");

}elseif($identity != 1){
	if($identity != 2){
		if($identy != 3){
			if($identity != 4){
				if($identity !=5 ){
				    
					$description = $_POST['description'];
					$cost = $_POST['cost'];
					$query = "UPDATE `rooms` SET  description='$description' cost='$cost' WHERE  roomnumber='$identity'";
					mysql_query($query) or die(mysql_error());
					header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=$identity");
				}
			}
		}
	}
}
?>

trq · September 23, 2009

Do you have magic_quotes_gpc enabled? If so you need to stripslashes first.

TGWSE_GY · September 23, 2009

Just checked and I don't have magic quotes enabled.

trq · September 23, 2009

Are you talking about retrieving data thats already in the db? If you look at your data through phpmyadmin or some other tool is there slashes stored amongst it?

TGWSE_GY · September 23, 2009

yes there is slashes in the db now

trq · September 23, 2009

Your data is broken then. Slashes shouldn't actually be stored in your database.

You'll need to run replace quiries to fix it. eg;

UPDATE tbl SET fld = REPLACE(fld,'\','')

TGWSE_GY · September 23, 2009

What are replace querys?

TGWSE_GY · September 23, 2009

A better question would be how do I ensure my data is not broken when posting to the db?

jcombs_31 · September 23, 2009

What are replace querys?

He just showed you above a sample replace query. It does exactly that, replaces one string with another. In your case, stripping out the backslashes \

Sign In

Addslashes() not working properly

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information