Session Variables and mysqli_real_escape_string() double escapes characters

[cmor]

I'm trying to input Session variables into a mysql database.  Everything inputs fine, but I am trying to make it more secure by filtering values through mysqli_real_escape_string(). 

 

However, it appears that most(all?) of the special characters are already escaped in the Session variables.  Therefore when I pass it through mysqli_real_escape_string() I get double escaped characters. For example, If the user inputs 's Chris as their first name. I get the following output from the below code:

 

echo $_SESSION['firstname'];
echo '<br />';
echo mysqli_real_escape_string($db,$_SESSION['firstname']);

 

Output:

\'s Chris
\\\'s Chris

 

How do I overcome this problem and still make sure all my entries are secure? 

 

 

 

[swisse]

Try:

$firstname = get_magic_quotes_gpc() ? mysqli_real_escape_string($db, trim(stripslashes($_POST['firstname']))) : trim($_POST['firstname']);

before you input your data in your table.

[cmor]

Try:

$firstname = get_magic_quotes_gpc() ? mysqli_real_escape_string($db, trim(stripslashes($_POST['firstname']))) : trim($_POST['firstname']);

before you input your data in your table.

 

Thanks for the reply.  That does solve the immediate problem.  But if magic_quotes is turned off wouldn't I then be entering unfiltered data?  Would this not be a better implementation:

 

 

$firstname = get_magic_quotes_gpc() ? mysqli_real_escape_string($db, trim(stripslashes($_POST['firstname']))) :mysqli_real_escape_string($db, trim( $_POST['firstname']));

[swisse]

What you suggested is a better solution and to filter other special characters too.

$firstname = get_magic_quotes_gpc() ? mysqli_real_escape_string($db, trim(stripslashes($_POST['firstname']))) : mysqli_real_escape_string($db, trim( $_POST['firstname']));