RON_ron Posted September 4, 2012 Share Posted September 4, 2012 if( get_magic_quotes_gpc() ) { $subjects = mysql_real_escape_string(stripslashes($_POST['subjects'])); $codeA = mysql_real_escape_string(stripslashes($_POST['codeA'])); } else { $subjects = mysql_real_escape_string($_POST['subjects']); $codeA = mysql_real_escape_string($_POST['codeA']); } I'm using the above to maintain the new paragraphs (when the user hits the Enter key). But unfortunately the back slashes are still appearing... Could someone help me here? Quote Link to comment Share on other sites More sharing options...
ignace Posted September 4, 2012 Share Posted September 4, 2012 mysql_real_escape_string will add slashes for any character's (' and ") which could break your SQL. That said relying on mysql_* functions should be avoided and you should use the mysqli_* functions instead or PDO. http://php.net/mysqli-real-escape-string Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 4, 2012 Share Posted September 4, 2012 the back slashes are still appearing... Exactly where are they still appearing at? Quote Link to comment Share on other sites More sharing options...
RON_ron Posted September 4, 2012 Author Share Posted September 4, 2012 I'm using this to store text in to the mysql db. the backslashes shows there. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 4, 2012 Share Posted September 4, 2012 For us to be able to help you with any programming problem you are having, you must supply the all the relevant code and sample data needed to reproduce the problem. There's at least 6 different things I can think of that could cause the symptom. Quote Link to comment Share on other sites More sharing options...
Adam Posted September 4, 2012 Share Posted September 4, 2012 Why not just disable magic quotes altogether? Quote Link to comment Share on other sites More sharing options...
RON_ron Posted September 4, 2012 Author Share Posted September 4, 2012 Thanks. This is the full code. if( get_magic_quotes_gpc() ) { $subjects = mysql_real_escape_string(stripslashes($_POST['subjects'])); $codeA = mysql_real_escape_string(stripslashes($_POST['codeA'])); } else { $subjects = mysql_real_escape_string($_POST['subjects']); $codeA = mysql_real_escape_string($_POST['codeA']); } $update = sprintf("INSERT INTO newdb (subject, code) VALUES ('%s', '%s')", mysql_real_escape_string($subjects), mysql_real_escape_string($codeA)); $result = mysql_query($update); Quote Link to comment Share on other sites More sharing options...
Adam Posted September 4, 2012 Share Posted September 4, 2012 You're escaping the variables again: $update = sprintf("...", mysql_real_escape_string($subjects), mysql_real_escape_string($codeA)); Quote Link to comment Share on other sites More sharing options...
ignace Posted September 4, 2012 Share Posted September 4, 2012 That's how it should be done: if (get_magic_quotes_gpc()) { $_POST['subjects'] = stripslashes($_POST['subjects']); $_POST['codeA'] = stripslashes($_POST['codeA']); } $update = sprintf("INSERT INTO newdb (subject, code) VALUES ('%s', '%s')", mysql_real_escape_string($_POST['subjects']), mysql_real_escape_string($_POST['codeA'])); $result = mysql_query($update); Quote Link to comment Share on other sites More sharing options...
RON_ron Posted September 4, 2012 Author Share Posted September 4, 2012 Cheers All!! mysql_real_escape_string ...relying on mysql_* functions should be avoided ... http://php.net/mysqli-real-escape-string I'm not really a php star - may I know briefly why? isn't this secure using mysql_real_escape_string? Quote Link to comment Share on other sites More sharing options...
ignace Posted September 5, 2012 Share Posted September 5, 2012 http://php.net/mysql-real-escape-string Look at the big red box Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.