Data not escaped in the database.

[david91]

Hey, I have this strange problem I never got before with other sites. The webserver I am using has magic_quotes enabled but I use a function for securing data anyway and this is in the function:

 

if(get_magic_quotes_gpc() != 1){
	$var = addslashes($var);
}

 

When I post data via a form and I use my function on the data it comes out with backslashes in front of certain characters and that is perfect but then when I do a query to insert the data into the database the data gets inserted with no backslashes.

 

For example lets say I just posted the variable "name" and I retrieved it on the other side like this:

 

$name = secure_var($_POST['name']);

 

If I echoed the variable "$name" on the next line of code it would have have backslashes in front of certain characters and then on the very next line of code if I inserted the variable "$name" into the database it would get added to the databse but without the blackslashes. What could be wrong? Thanks.

[emopoops]

u need to use myhsql_real_escape_string before u put it into the db hone

[PFMaBiSmAd]

the data gets inserted with no backslashes

 

That's the way it is supposed to be. The \ are only present in the query string so that the special characters don't break the SQL syntax.

 

If you had a case where the \ were present in the database, that would mean that you double-escaped the data.

[emopoops]

yet again i must reinforce mysql_real_escape_string() that function will put it in there WITH THE SLASHES like i wish hon. very approrpiate

[david91]

u need to use myhsql_real_escape_string before u put it into the db hone

 

Yeah but if I echo a variable and let's say it outputs:

 

I\'m really tired

 

and then on the next line of code I insert it into the database and when I go and look in the database it has:

 

Im really tired

 

The backslash is gone. Why could this be happening? It should put in exactly what is in the variable .

[david91]

Thanks for the fast replies. But when I used to add data into the database it would always have a "\" before certain characters and then when I retrieved the data and wanted to display it I would use stripslashes(). What is stripslashes for if the data comes out with all the slashes stripped already?

[emopoops]

oh i had that happen to me and then sometimes it didnt do that. u make a good point i understand. I DO NOT HAVE THE ANSWER THO maybe somene else knows why it would take out the slashes even when it did that

[Mchl]

 

Yeah but if I echo a variable and let's say it outputs:

 

I\'m really tired

 

and then on the next line of code I insert it into the database and when I go and look in the database it has:

 

Im really tired

 

The backslash is gone. Why could this be happening? It should put in exactly what is in the variable .

 

I'm pretty sure it's:

I'm really tired

 

that's the way it's supposed to work. There's no point in storing escape characters in database.

 

Thanks for the fast replies. But when I used to add data into the database it would always have a "\" before certain characters and then when I retrieved the data and wanted to display it I would use stripslashes(). What is stripslashes for if the data comes out with all the slashes stripped already?

 

That was the wrong way of doing the escaping.

[emopoops]

the n why when i escape things with mysql_rea_escape_string() is stores them in the database with the slashes before the apostrophes and stuff?

[Mchl]

Probably becouse you either run it twice, or have magic_quotes enabled.

[david91]

Why do I always see people using stripslashes() on data that comes out of the database all the time? This is so weird I always thought the data was stored with the slashes in it and then when displaying it you use stripslashes() to clean it up and make it look correct for output.

[emopoops]

ok so ur telling me this new thing called magic quotes when its enabled makes the data be all slashed with \\\ things?

hoiw can i tell if its enabled then?

 

[Mchl]

Why do I always see people using stripslashes() on data that comes out of the database all the time? This is so weird I always thought the data was stored with the slashes in it and then when displaying it you use stripslashes() to clean it up and make it look correct for output.

 

I don't know why you ALWAYS see it. Perhaps you're ONLY looking at code created by people who do it wrong way.

Think logically: what would be the point of storing these slashes just to strip them?

[Mchl]

ok so ur telling me this new thing called magic quotes when its enabled makes the data be all slashed with \\\ things?

hoiw can i tell if its enabled then?

 

http://php.net/manual/en/security.magicquotes.php

[david91]

I must have always been running it twice before on other sites or else magic_quotes was enabled. So since the data is stored without the slashes that means when I do a query and I get some data from the database I can display it straight away without the need of using stripslashes()? Also when data is escaped and you put it into ANY sort of sql query (UPDATE, INSERT, SELECT, etc) and that sql query was to be shown in plain text the escaping would be gone? Thanks for this help.

[PFMaBiSmAd]

Why do I always see people using stripslashes() on data that comes out of the database all the time?

 

There would be two reasons for that -

 

1) The data was double-escaped going into the database and now the extra \ needs to be removed, or

2) magic_quotes_runtime is ON and the data is being automatically escaped when it is retrieved from the database.

[emopoops]

let me tell u. i dont have it auto escape when i get it from the db nor do i double escape the sons

[david91]

So when magic_quotes is turned on also does the same as stripslashes() when you get data from the database? Should I have a function which checks if magic_quotes is on and if it is it does not perform stripslashes on the data and if its turned off it should perform stripslashes on the data? That is just for if magic_quotes is ever turned off on the server or if the website changes hosting.

[emopoops]

doesnt matter. as long as u use strip slashes everytime u get out of the db its fine hon

[Mchl]

Yeah especially if I actually want to store a dos style path into db like C:\wamp\www\

so when you use stipslashes on it what will you get?

[emopoops]

the stuff without the slashes.

[Mchl]

Good. Except that's not what I stored, and not what I want to retrieve.

[emopoops]

u dont make any sense. ok

[Mchl]

Or you don't make any sense from what I say.

 

[emopoops]

whether u have stored slashes in the db or not use stripslashes no matter what and it will still be the same hon. dont be hawty with me im trying to get u on to a oint