[SOLVED] Slashes

[e1seix]

Have a small problem and I'm not able to understand why I'm getting the results I'm getting... and it's all down to darn slashes.

 

The brand in question is O'Brien

 

<div><a href="javascript:void(0)"onclick="window.open('/admin/popup/shop.php?tbl=brands&brand=<? echo addslashes($row["brand"]); ?>&brandId=<? echo $row["brandId"]; ?>&action=edit&step=1', 'none', 'width=750,height=250,menubar=no,status=no,resizable=no,location=no,toolbar=no,scrollbars=yes,left=50,top=50,titlebar=no')">EDIT</a></div>

 

The addslashes is giving me the result O\\\'Brien - 3 slashes, not 2!

 

Therefore when we are preparing to use a form to input it back into the database:

 

<input name="brand" type="text" value="<? echo mysql_real_escape_string(urldecode(stripslashes($_GET["brand"]))); ?>" />

 

It's being entered as O\'Brien - still with a slash, instead of O'Brien...

 

Any ideas?

 

Cheers!

[ialsoagree]

mysql_real_escape_string is used when you're storing something in a MySQL database. This command escapes quotes so that they can't be used as an SQL injection attack.

 

It's not used to output data to the browser, it's specifically for data that's going to be put into a MySQL database.

 

Therefor:

 

<input name="brand" type="text" value="<?php echo mysql_real_escape_string(urldecode(stripslashes($_GET["brand"]))); ?>" />

 

should be

 

<input name="brand" type="text" value="<?php echo urldecode(stripslashes($_GET["brand"])); ?>" />

[teynon]

In addition to ialsoagree, it looks like you are pulling the brand from mysql initially. Check the value in MySQL I am guess the value is stored as O\'Brien. If it is coming out of Mysql with a slash, then it would look like this "addslashes("O\'Brien")" which would result in O\\\'Brien.

 

My personal opinion with input that might use a quote legitimately, I convert it to html ie htmlspecialchars

[e1seix]

In addition to ialsoagree, it looks like you are pulling the brand from mysql initially. Check the value in MySQL I am guess the value is stored as O\'Brien. If it is coming out of Mysql with a slash, then it would look like this "addslashes("O\'Brien")" which would result in O\\\'Brien.

 

My personal opinion with input that might use a quote legitimately, I convert it to html ie htmlspecialchars

 

I am pulling it out of another table in my database initially, yes. It's in the database as O'Brien only with no slash, I have to use addslashes to allow it to be called by the javascript pop up otherwise nothing happens when I click the edit link. It goes to the url of the javascript url where it displays as O'Brien again. Then I use $_GET to pre-fill one of the input boxes and strip slashes, where it finally displays as O\'Brien. From here I'm using an update script to put it back into the database again.

 

So, actually at which points should I be using addslashes and stripslashes. There's 4 steps:

 

1. Calling it from the database in the pop up link (have to use addslashes here!)

2. Calling from the pop up url to pre-fill the input box

3. Inputing the value of the input box back into database using UPDATE.

 

I take on board the note about mysql_real_escape_string. That was my mistake.