Xtremer360 Posted January 4, 2011 Share Posted January 4, 2011 What's the best way for putting actual quotations into a database? I was using... $quote = htmlspecialchars(mysqli_real_escape_string($dbc, $_POST['quote'])); Should I be? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 i wouldn't use htmlspecialchars on a string before storing it. Quote Link to comment Share on other sites More sharing options...
Xtremer360 Posted January 4, 2011 Author Share Posted January 4, 2011 okay thank you however when I'm pulling it out to display it I have stripslashes($row[ 'quote' ]); and it's not stripping out those backslashes. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 if you have magic quotes enabled, you'll want to stripslashes() before using mysql_real_escape_string(), otherwise you'll get two sets of slashes instead of one. $quote = $_POST['quote']; if (get_magic_quotes_gpc()) { $quote = stripslashes($quote); } $quote = mysql_real_escape_string($quote); Quote Link to comment Share on other sites More sharing options...
Xtremer360 Posted January 4, 2011 Author Share Posted January 4, 2011 Okay so I have: $query = "SELECT DATE_FORMAT(quotes.datecreated, '%M %d, %Y') AS datecreated, id, quote FROM quotes"; $result = mysqli_query ( $dbc, $query ); // Run The Query $rows = mysqli_num_rows($result); stripslashes($row[ 'quote' ]); <?php while ( $row = mysqli_fetch_array ( $result, MYSQL_ASSOC ) ) { echo ' <tr> <td><input type=checkbox class=checkbox value="' . $row['id'] . '" /></td> <td>' . $row['quote'] . '</a></td> <td class=last>' . $row['datecreated'] . '</td> </tr>'; } ?> And its still showing the backslashes. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 you should not have to use stripslashes() on stored data. there shouldn't be any extra slashes in your data. if there are extra slashes in your data, they were put there because of improper filtering of input. you should remove the slashes in the database and filter the input SQL properly so you don't have to stripslashes() on the data when you retrieve it. Quote Link to comment Share on other sites More sharing options...
Xtremer360 Posted January 4, 2011 Author Share Posted January 4, 2011 I guess I'm still confused because this is what I have for the form submission. $quote = mysqli_real_escape_string($dbc, $_POST['quote']); So if on my form the user puts "This is just a test quote". That's how I want it to appear in the database. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 because magic quotes is probably on, so you ended up inserting with double slashes. see code above, here modified for mysqli $quote = $_POST['quote']; if (get_magic_quotes_gpc()) { $quote = stripslashes($quote); } $quote = mysqli_real_escape_string($dbc, $_POST['quote']); Quote Link to comment Share on other sites More sharing options...
Xtremer360 Posted January 4, 2011 Author Share Posted January 4, 2011 It still did it. <?php // Include the database page require ('../inc/dbconfig.php'); if (isset($_POST['submitquote'])) { $quote = $_POST['quote']; if (get_magic_quotes_gpc()) { $quote = stripslashes($quote); } $quote = mysqli_real_escape_string($dbc, $_POST['quote']); $query = "INSERT INTO `quotes` (quote, character_id, datecreated) VALUES ('$quote', 1, NOW())"; mysqli_query($dbc,$query); } ?> Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 what still did what? can you post your latest code? Quote Link to comment Share on other sites More sharing options...
Xtremer360 Posted January 4, 2011 Author Share Posted January 4, 2011 I just did above. That's for the form processing page and here's for the actual form. <?php // Include the database page require ('../inc/dbconfig.php'); ?> <script type="text/javascript"> $(document).ready(function() { $('div.message-error').hide(); $('div.message-success').hide(); $("input.submit").click(function() { $('div.message-error').hide(); var quote = $("input#quote").val(); if (quote == "") { $("div.message-error").show(); $("input#quote").focus(); return false; } var dataString = 'quote=' + quote + '&submitquote=True'; $.ajax({ type: "POST", url: "processes/quote.php", data: dataString, success: function() { $('div.message-error').hide(); $("div.message-success").html("<h6>Operation successful</h6><p>" + quote + " saved successfully.</p>"); $("div.message-success").show().delay(10000).hide("slow"); $(':input','#quotesform') .not(':submit') .val('') return true; } }); return false; }); }); </script> <!-- Form --> <form action="#" id="quotesform"> <fieldset> <legend>Add New Quote</legend> <div class="field required"> <label for="quote">Quote</label> <input type="text" class="text" name="quote" id="quote" title="Quote"/> <span class="required-icon tooltip" title="Required field - This field is required, it cannot be blank, and must contain something that is different from emptyness in order to be filled in. ">Required</span> </div> <input type="submit" class="submit" name="submitquote" id="submitquote" title="Submit Quote" value="Submit Quote"/> </fieldset> </form> <!-- /Form --> <!-- Messages --> <div class="message message-error"> <h6>Required field missing</h6> <p>Please fill in all required fields. </p> </div> <div class="message message-success"> <h6>Operation succesful</h6> <p>Content Page was added to the database.</p> </div> <!-- /Messages --> Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 it still inserts double slashes into the database? Quote Link to comment Share on other sites More sharing options...
Xtremer360 Posted January 4, 2011 Author Share Posted January 4, 2011 yep Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 it shouldn't but as an experiment try removing the if $quote = $_POST['quote']; $quote = stripslashes($quote); $quote = mysqli_real_escape_string($dbc, $_POST['quote']); and how are you looking at the stored data? using phpmyadmin or something? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 4, 2011 Share Posted January 4, 2011 sorry, I am a part-time idiot. try this. $quote = $_POST['quote']; if (get_magic_quotes_gpc()) { $quote = stripslashes($quote); } $quote = mysqli_real_escape_string($dbc, $quote); in the previous posts, I modified $quote, but then used mysqli_real_escape_string on $_POST['quote']. bad. Quote Link to comment Share on other sites More sharing options...
Xtremer360 Posted January 4, 2011 Author Share Posted January 4, 2011 That worked. Thank you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.