sanitize data creates 3 slashes

[johnrb87]

Hi everyone

 

I am trying to secure some of my code using a sanitize function

 

function sanitize($data)
{
$cdata = strip_tags(addslashes($data));
$cdata = mysql_real_escape_string($cdata);
return $cdata;
}

 

If I post a form value such as

 

'Apple iPod'

 

to a SQL INSERT QUERY using

 

`title` = sanitize($_POST['title']);

 

then my database value looks like

 

\\\'the ipod\\\'

 

this is odd because there is 3 slashes

 

if I then print that value on a PHP page using

 

print stripslashes($row['title']);

 

it outputs

 

\'the ipod\'

 

Why can I not get rid of the slashes and why would it be outputting 3 slashes?

 

I have tried all the magic quote ideas and suggestions, but still cannot sort this out.

 

Thanks

 

John

[Hypnos]

Because you have 3 things adding slashes.

 

1. magic_quotes_gpc - It must be on. Run phpinfo() to test. Shut it off in php.ini or .htaccess.

2. addslashes() - You don't need this. That's what mysql_real_escape_string() is for.

3. mysql_real_escape_string()

 

Take out the addslashes() and shutoff magic_quotes_gpc.

 

Or just shutoff magic_quotes_gpc and use prepared statements with PDO or mysqli. Then you don't need to escape data for SQL.