MySQL Database insert validation, and displaying info

[mat3000000]

Hi,

 

I have a website where users can log on and edit their profile pic, name, biography etc.

I was wondering about the correct way to:-

• Add data to the database through forms (Register.php)
  
• Display the data on a page
  

Using mysql escape sting, however, the way I am currently using will display a '\' before any ' symbol. So it's >> it\'s ...

 

Here is a snippet of the code I am using...

 

//insert data
$about1 = mysql_real_escape_string($_POST['about']);

//get
$query = mysql_query("SELECT * FROM `staff` WHERE username='$username'");
$row = mysql_fetch_array($query);
$about = $row['about'];
echo $about;

[Pikachu2000]

If you're getting the escaping backslashes displayed, you probably have magic_quotes_gpc() = On in your php.ini file, causing the data to be double-escaped.

[mikesta707]

The easiest solution would be to simply remove the slashes using PHP's stripslashes() function. However, as Pikachu pointed out, the problem most likely stems from a setting in your php.ini. It would be best if you turned this setting off, to avoid this problem in the future. Unfortunately, the text in your database already will be unaffected by this change. Is your server in development or production?

[Psycho]

Unfortunately, the text in your database already will be unaffected by this change. Is your server in development or production?

 

I think mikesta707 misspoke. he meant to say that the content already stored in your database IS already affected.

[Pikachu2000]

I'm thinking what he was getting at was that turning off magic_quotes won't remove any backslashes in the existing data. You'd need to run an UPDATE query to take care of it.

[mikesta707]

I'm thinking what he was getting at was that turning off magic_quotes won't remove any backslashes in the existing data. You'd need to run an UPDATE query to take care of it.

 

yes this is what I meant. Thank you for clarifying.