PHP Adding Slashes Without Instruction

maxudaskin · February 3, 2011

I have this page that keeps adding slashes (exponentially) to the $sql var that gets passed on through the hidden text area. I cannot figure out why it does this.

Any ideas are appreciated. Thank you.

<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/login.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/mysql.php';

if(!Login::loggedIn()) {
include $_SERVER['DOCUMENT_ROOT'] . '/include/uploads/pages/login.php';
} else {
function displayForm()
{
	$sql     = 'SELECT * FROM `content` WHERE `contentCallid` = \'' . $_GET['page'] . '\'';
	$con     = $GLOBALS['mysql']->connect();
	$query   = mysql_query($sql, $con);
	$content = mysql_fetch_array($query);

	$content['breadcrumb']     = explode(',', $content['breadcrumb']);
	$content['breadcrumbLink'] = explode(',', $content['breadcrumbLink']);
	$breadcrumb = '';

	for($i = 0; $i < count($content['breadcrumb']); $i++) {
		if($i > 0)
			$breadcrumb .= ',';
		$breadcrumb .= $content['breadcrumbLink'][$i] . '::' . $content['breadcrumb'][$i];
	}

	if(empty($_POST['sql'])) {
		$sql = 'INSERT INTO `contentVersions`
					(`contentCallid` ,
					`contentTitle` ,
					`content` ,
					`views` ,
					`permissionNeeded` ,
					`status` ,
					`version` ,
					`created` ,
					`createdBy` ,
					`lastEdit` ,
					`lastEditBy` ,
					`breadcrumb` ,
					`breadcrumbLink` ,
					`noBreadcrumb` ) 
				VALUES (
					\'' . ($content['contentCallid'])    . '\',
					\'' . ($content['contentTitle'])     . '\',
					\'' . ($content['content'])          . '\',
					\'' . ($content['views'])            . '\',
					\'' . ($content['permissionNeeded']) . '\',
					\'' . ($content['status'])           . '\',
					\'' . ($content['version'])          . '\',
					\'' . ($content['created'])          . '\',
					\'' . ($content['createdBy'])        . '\',
					\'' . ($content['lastEdit'])         . '\',
					\'' . ($content['lastEditBy'])       . '\',
					\'' . ($content['breadcrumb'])       . '\',
					\'' . ($content['breadcrumbLink'])   . '\',
					\'' . ($content['noBreadcrumb'])     . '\');';
		$sql = stripslashes($sql);
	} else {
		$sql = $_POST['sql'];
	}
?>
<form id="loginForm" name="loginForm" method="post" action="index.php?p=editPage&page=<?= $_GET['page']; ?>&ref=editPage">
   <fieldset>
    <legend>Page Settings </legend>
<p>
      <label>Page Title: </label>
      <input name="title" style="width:450px;" id="title" value="<?= $content['contentTitle']; ?>" type="text" />
    </p>
<p>
      <label>Content ID: </label>
      <input name="callid" readonly="readonly" style="width:381px;" id="callid" value="<?= $content['contentCallid']; ?>" type="text" />
   
  <input name="suggestC" type="button" value="Suggest" onclick="suggestCallID('<?= $content['contentCallid']; ?>');" />
    </p>
<p>
      <label>Breadcrumb: </label>
      <input name="breadcrumb" style="width:381px;" id="breadcrumb" value="<?= $breadcrumb; ?>" type="text" />
   
  <input name="suggestBC" type="button" value="Suggest" onclick="suggestBreadcrumb();" /></p>
  </fieldset>
  <textarea name="editPageWYS" id="editPageWYS"><?= $content['content']; ?></textarea>
   <textarea style="visibility:hidden;" name="sql"><?= $sql; ?></textarea>
   <textarea style="visibility:hidden;" name="version"><?= $content['version']; ?></textarea>
   <textarea style="visibility:hidden;" name="contentid"><?= $content['contentid']; ?></textarea>
   <fieldset>
    <legend>Actions</legend>
<p>
  <input name="save" type="submit" value="Save" />
    </p>
  </fieldset>
</form>
<?php
}

if(!empty($_POST['save'])) {
	if(empty($_POST['title']) || empty($_POST['callid'])) {
		echo '<blockquote class="failure">Save not successful. You need to have both a title and content id. Please type in a title then click the "Suggest" button.</blockquote>';
		displayForm();
	} else {
		$time = time();
		$bc   = explode(',', $_POST['breadcrumb']);
		$bcText = array();
		$bcLink = array();

		for($i = 0; $i < count($bc); $i++) {
			$bc[$i]     = explode('::', $bc[$i]);
			$bcLink[$i] = $bc[$i][0];
			$bcText[$i] = $bc[$i][1];
		}

		$bcLink = implode(',', $bcLink);
		$bcText = implode(',', $bcText);

		$con   = $GLOBALS['mysql']->connect();
		$query = mysql_query($_POST['sql'], $con);

		echo $_POST['sql'];
		if(!$query) {
			echo '<blockquote class="failure">Warning: A MySQL error has occured while adding the backup to the database.<p>' . mysql_error() . '</p></blockquote>';
			displayForm();
		}

		$sql = 'UPDATE 	`content` SET
						`content` = \'' . $_POST['editPageWYS'] . '\',
						`breadcrumb` = \'' . $bcText . '\',
						`breadcrumbLink` = \'' . $bcLink . '\',
						`contentCallid` = \'' . $_POST['callid'] . '\',
						`contentTitle` = \'' . $_POST['title'] . '\',
						`version` = \'' . ($_POST['version'] + 1) . '\',
						`lastEdit` = \'' . $time . '\',
						`lastEditBy` = \'' . $_SESSION['username'] . '\'
				WHERE `contentid` = ' . $_POST['contentid'] . ' LIMIT 1 ;';

		$query = mysql_query($sql, $con);
		if(!$query) {
			echo '<blockquote class="failure">MySQL Error<p>' . mysql_error() . '</p></blockquote>';
			displayForm();
		} else {
			echo '<blockquote>Page Successfully Edited<br /><br /><a href="index.php?p=' . $_POST['callid'] . '&ref=newPage">Click Here to View It</a></blockquote>';
		}
	}
} else {
	displayForm();
}
}
?>

trq · February 3, 2011

Your server must have magic_quotes enabled. You should disable this if you have acess, otherwise, you'll need to use stripslashes.

Sign In

PHP Adding Slashes Without Instruction

Recommended Posts

maxudaskin

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information