[SOLVED] Slashes getting removed without stripslashes o.O

[The14thGOD]

The data is put into the database just fine with slashes and everything

I have a CMS and this preview function I built, there are 3 options: Publish, Save Draft, and Undo.

There are 2 tables, preview, and website.

 

When I select Undo, it will take the website data and dump it into the preview table. Vice versa for Publish.

 

When this happens it takes out the '\'s. I don't THINK this will be a problem because when edited it will be put back in. But does anyone know why this is happening? Shouldn't it copy it directly into the db?

 

here's the code so you can see I'm not doing anything that would strip slashes.

 

Undo (publish is basically the same thing)

<?php
import_request_variables('pg');	
include('connect.php');
include('urlpathback.php');
include('adminloggedin.php');
//Grab Info from databases
$website_query = "SELECT * FROM website WHERE url='$_SESSION[theurl]' ";//$_SESSION['theurl'] is what the old url used to be from edit.php
$website_result = mysql_query($website_query);
$website_row = mysql_fetch_assoc($website_result);
$preview_query = "SELECT * FROM preview WHERE url='$_GET[url]' ";//$_SESSION the new url which is stored in preview's db
$preview_result = mysql_query($preview_query);
$preview_row = mysql_fetch_assoc($preview_result);

$query2 = "UPDATE preview SET pageid='$website_row[pageid]',navtitle='$website_row[navtitle]',title='$website_row[title]',keywords='$website_row[keywords]',description='$website_row[description]',url='$website_row[url]',headline='$website_row[headline]',body='$website_row[body]',status='enabled' WHERE url='$_SESSION[theurl]' ";
mysql_query($query2);
unset($_SESSION['editdraft'],$_SESSION['oldnavtitle'],$_SESSION['oldparent'],$_SESSION['status'],$_SESSION['weight'],$_SESSION['parent'],$_SESSION['theurl'],$_SESSION['draft'],$_SESSION['uid'],$_SESSION['editurl']);
header("Location: $url");
exit(0);
?>

 

Thanks for any and all help.

[lemmin]

They are probably parsed as an escape character. You may need to escape them. Can you post a sample string with the before and afters of the different situations and expected outcomes?

[PFMaBiSmAd]

The actual \ characters are NOT inserted into the database. They are only present in the query string so that the special characters don't break the syntax of the query. When the query string is parsed, the character they were escaping is treated as the literal character and the \'s are eliminated.

 

If you see the \ characters in the actual database, it means that your data was escaped twice.

[The14thGOD]

hmm, i was taught to put addslashes($var) on anything that could potentially have escapable characters. thats what ive been doing, does PHP 5 now do this automatically or something then? cause when I do addslashes() i see the \ in the database like I'd expect. It's just when the above code is ran that character is no longer there (which I'm assuming is because of PFMaBiSmAd's post).

[PFMaBiSmAd]

If you have successfully inserted data that did contain special characters, like a single-quote, and you are not specifically escaping the data in your code, then it is likely that the magic_quotes_gpc setting is ON and php has been escaping your data for you.

 

However, magic_quotes_gpc does not escape all the special characters that can break a query, so if it is on, you actually need to strip the slashes and then use mysql_real_escape_string() on the data. magic_quotes_gpc has been completely removed in php6, so it will be necessary for your code to use mysql_real_escape_string() on string data in order to prevent special characters from breaking the query syntax and to help prevent sql injection.

[The14thGOD]

I just looked and it is turned on. So my data is being escaped twice then? That's why it's in the DB.

 

So just to make sure I have this straight, if I were to switch to mysql_real_escape_string() (could they make that longer..geez) I can just disable the magic_quotes_gpc and remove addslashes/stripslashes all together from my scripts right?

 

I don't think I need to worry about sql injection (the site is just reading (the mod_rewrite is very restrictive on what it 'accepts' ) and the editor section has a pretty secure login (im not security expert)).

 

Again, thanks for the help =)

 

Justin

[PFMaBiSmAd]

If the magic_quotes settings are off, all you need to do is mysql_real_escape_string() on string data. There would be no addslashes/stripslashes...

[The14thGOD]

thanks!

i wish i could dive deeper into PHP however I'm the only developer and get thrown on a lot of html/css/flash jobs :/

 

Justin