deecee2000 Posted November 23, 2009 Share Posted November 23, 2009 Hello All, I have weired problem with addslashes. Please review this below code. function handleAddSlashes($string) { if(get_magic_quotes_gpc() == 1) { return $string; } else { return $string = addslashes($string); } } Currently "get_magic_quotes_gpc" is "on" at my server. When I tried to insert any value using this function it works well. i.e. $value = "Don't"; $test = handleAddSlashes($value); And INSERT this value in do DB by using INSERT query. Up to here there is no any problem. Now I want to read this value from DB and want to insert this value in another table. So "SELECT * FROM table1; $value = fetch_value from DB. Now inserting again this value into DB my using the same above function. $value = "Don't"; \\now this value coming from DB. $test = handleAddSlashes($value); And INSERT this value in do DB by using INSERT query. But it is saying the query fail. Even I insert this value without using this function, still it is giving the error. Please let me know how can I resolve this issue. Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/182604-addshashes-problem/ Share on other sites More sharing options...
iversonm Posted November 23, 2009 Share Posted November 23, 2009 Can you post your insert querys? I am just curious because it seems more like a problem with that rather then your function you created which looks fine Link to comment https://forums.phpfreaks.com/topic/182604-addshashes-problem/#findComment-963762 Share on other sites More sharing options...
PFMaBiSmAd Posted November 23, 2009 Share Posted November 23, 2009 Because magic_quotes_gpc is ON, your function does not escape the data. Therefore, any data that did not come from a post/get/cookie will not be escaped at all and any special sql characters in it, such as a ', will break the sql syntax and prevent a query from working. Your function needs to be rewritten anyway, because you should actually use stripslashes() to remove any escaping if magic_quotes_gpc is on, then unconditionally use mysql_real_escape_string() on any string data put into a query. You function should also only be used on any post/get/cookie data put into a query. You should directly use mysql_real_escape_string() on any other string data put into any query. Link to comment https://forums.phpfreaks.com/topic/182604-addshashes-problem/#findComment-963768 Share on other sites More sharing options...
deecee2000 Posted November 23, 2009 Author Share Posted November 23, 2009 Thanks for your all help. Now I got the point. So first time when I was inserting the value it is coming from POST. I used that "handleAddSlashes" function to escape that single quote. As my get_magic_quotes_gpc() is on, there is no any problem to insert in to DB. Now I was retrieving the value from DB, and using same function for escape that single quote. As get_magic_quotes_gpc() function work only for GET/POST/COOKIE. So it was not escaping the value which coming from DB. Therefore I need to do again addslashes with that value which coming from DB to insert in another table. So not this problem is fixed Thanks, Link to comment https://forums.phpfreaks.com/topic/182604-addshashes-problem/#findComment-964187 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.