stripslashes() not working :( help plz :)

[colleyboy]

 

OK, I am confused a little.

 

I have a script which processes the form data and then uploads it to the mysql database.  Simple.

 

Only problem I have is when the textbox is filled with anything with a " it adds a \ before it.

 

example:  Have a "great" day  is now  Have a \"Great\" day

 

So I thought maybe it could be the striplashes.

 

My code isnt working though.  Any ideas peoples?

 

CODE:

 

<?php

mysql_connect("localhost", "xxxxxxxx", "xxxxxxxxxxxx") or die(mysql_error());
mysql_select_db("xxxxxxxxxxxxx") or die(mysql_error());

$title = stripslashes(trim($_POST['title']));
$content = stripslashes(trim($_POST['content']));
$title = mysql_real_escape_string(trim($_POST['title']));
$content = mysql_real_escape_string(trim($_POST['content']));

$what_id=$_POST['what_id'];

mysql_query("UPDATE homepage SET title='$title', content='$content' WHERE id = '1'") or die(mysql_error()); 
  
include 'updatedhyperlink1.php';

?>

[Psycho]

Take a cloase look at your code! You are first defining $title and $content suing strip_slashes() and trim() on the POST values. Then you are redefining those variables using mysql_real_escape_string() again on the POST values. So you just lost anything  you had with trim() and strip_slashes().

 

[colleyboy]

I see do I need to do this then?

 

<?phpmysql_connect("localhost", "xxxxxxxx", "xxxxxxxxxxxx") or die(mysql_error());

mysql_select_db("xxxxxxxxxxxxx") or die(mysql_error());

$title = mysql_real_escape_string(stripslashes(trim($_POST['title'])));
$content = mysql_real_escape_string(stripslashes(trim($_POST['content'])));

$what_id=$_POST['what_id'];mysql_query("UPDATE homepage SET title='$title', content='$content' WHERE id = '1'") or die(mysql_error());   

include 'updatedhyperlink1.php';?>

[Psycho]

The manual offers some sample code you can add which will use strip_slashes on all your user submitted data ONLY if the server has magic quotes turned on. In the interest of portability you should use that instead. Otherwise, if you move your code to another server or the settings are changed on your current server the strip_slashes will remove content that it shouldn't.

 

Here is the page withthe code to programatically remove magic quotes if used: http://www.php.net/manual/en/security.magicquotes.disabling.php

 

Implement that in any page that takes user submitted data. If you have a page that is included in all pages (which I always do) include the code in there.

 

Then your code just needs to look like this:

mysql_connect("localhost", "xxxxxxxx", "xxxxxxxxxxxx") or die(mysql_error());
mysql_select_db("xxxxxxxxxxxxx") or die(mysql_error());
$title   = mysql_real_escape_string(trim($_POST['title']));
$content = mysql_real_escape_string(trim($_POST['content']));
$what_id = (int) $_POST['what_id'];
mysql_query("UPDATE homepage SET title='$title', content='$content' WHERE id = '1'") or die(mysql_error()); 
  
include 'updatedhyperlink1.php';

 

Also, be sure to validate/cleanse ALL user input. I assumed that "what_id" would be an integer, so I used (int) to force it to be an int even if the user somehow submitted anything else.

[colleyboy]

Many Thanks,

 

Well I have different pages with different submission forms with different rules.  But that did work fine adding the striplashes in with the trim and escape string.  Knew it was something easy and obvious.

 

Thanks,

Ian