mysql_real_esacpe_string/stripslashes & CKEditor

[piedpiper]

Hi guys

I'm fairly new to the forums and PHP, and am having some problems with slashes on the 'Add Hyperlink' button on CKEditor.

Please let know if this is the wrong forum for this post.

I currently have some simple code that lets me add news (blog style) to a mysql database.

 

if(isset($_POST['submit3']))
  {
$text1 = $_POST['text1'];
$text1 = mysql_real_escape_string($text1);
if(!$text1)
  
  {
echo "<center>One or more fields were not completed!<br /><br />Redirecting Back</center>";
echo "<meta http-equiv=Refresh content=2;url=newsadd.php>";
exit;
    }

else
  {

$result = mysql_query("INSERT INTO news (title, dtime, text1)
                       VALUES ('$title',NOW(),'$text1')",$connect);
	  
          echo "<center>Added Successfully!<br><br />Redirecting Back</center>";
          echo "<meta http-equiv=Refresh content=2;url=index.php>";
	  
  }
  }

 

Now please correct me if I'm wrong but I thought the mysql_real_escape_string was meant to remove slashes and make the content safe for insertion. It has been working fine up until this point, where I have now added the CKEditor wysiwyg editor (so as to have formatting options) instead of just using plain text fields.

But using this editor adds slashes to my links on insertion to the DB.

If I insert

$text1 = stripslashes($text1);

to the above code as well as mysql_real_escape_string it inserts the link into DB properly but ads an 'rn' to after every <p> tag in the code inserted in DB.

 

I would have thought that cause the code coming from CKEditor was clean (by checking the source code of what I've written in the editor prior to submitting) that my submission to database would also be clean because of mysql_real_escape_string.

 

Can you use both mysql_real_escape_string and stripslashes together or is this a no-no.

Any help with this would be much appreciated

[Ken2k7]

You can, but it will change nothing. mysql_real_escape_string doesn't remove slashes. It escapes characters with slashes. If you run stripslashes afterwards, you removed them.

 

The way it inserts into the DB is fine, as long as it's safe. But on display, you probably want to stripslashes before displaying it.

[oni-kun]

It purely depends on whether the system has magic_quotes_gpc applied on the need to use stripslashes, You should strip slashes before but always run mysql_real_escape_string() if allowed on a query before running it. Slashes do not matter in the database, only SQL metacharacters need to be sanitized.

[piedpiper]

It purely depends on whether the system has magic_quotes_gpc applied

magic_quotes are turned off I'm pretty sure.

 

Ok so I added the stripslashes as below

if(isset($_POST['submit3']))
  {
$text1 = $_POST['text1'];
$text1 = mysql_real_escape_string($text1);
$text1 = stripslashes($text1);
if(!$text1)
  
  {

and as I said that works, but now i get the 'rn' after every <p> tag in the code.

<p>rn	this is a <a href="http://www.google.com">link</a></p>rn<p>rn	this is some text</p>rn<p>rn	this is some text</p>rn

It looks like this on display

rn this is a link
rn

rn this is some text
rn

rn this is some text
rn

Any ideas as to why this would be happening?

[oni-kun]

$text1 = mysql_real_escape_string($text1);

$text1 = stripslashes($text1);

 

You're stripping the escapes, which leaves your code unsanitized including newlines being broken (They are simply escaped sequences.) mysql_real_escape_string does not require stripslashes unless erroneous slashes are placed by magic quotes.

 

Read up on the documentation to make sure you realize the functional structure of this function's use.

[piedpiper]

Ok, so i should use stripslashes on the page that displays (below) the DB content to remove them?

echo $myrow['text1'];

 

 

PS:I'll have a look at the documentation on the function.

[Ken2k7]

Ok, so i should use stripslashes on the page that displays (below) the DB content to remove them?

echo $myrow['text1'];

 

 

PS:I'll have a look at the documentation on the function.

Yes. Also, read up on nl2br.

[piedpiper]

One last question. So this is how it would be coded?

echo stripslashes ($myrow['text1']);

I only ask because even though something works, doesn't mean it's the correct syntax, lol

[oni-kun]

One last question. So this is how it would be coded?

echo stripslashes ($myrow['text1']);

I only ask because even though something works, doesn't mean it's the correct syntax, lol

 

Again, Only if magic_quotes_gpc is enabled then stripslashes is needed on the output.

 

In a perfect world it should look like this:

if (get_magic_quotes_gpc() === 1) {
  $string = stripslashes($string);
}
$string = mysql_real_escape_string($string);
$sql = .....;