Jump to content

Backslash Problem

cutielou22

By cutielou22
in PHP Coding Help

 Share

Recommended Posts

cutielou22 Regular Member

cutielou22

Posted
Posted

"What's new to the site?" shows up as "What\'s new to the site?".

 

Why is this? How can I prevent this?

 

How it is ran through the site:

$pagetitle = mysqli_real_escape_string ($mysqli, $pagetitle);
$pagetitle = cleansafelynow($pagetitle);

 

I did google this problem and nothing seemed to help me. It shows up fine when not going through mysqli_real_escape_string.

 

The function used:


function cleansafelynow($var) {
if (@get_magic_quotes_gpc()) {stripslashes($var);}
strip_tags($var);
htmlspecialchars($var, ENT_QUOTES);

return $var;
}

 

I also tried stripshlashes() alone and not going through the if statement and it remains the same. Is there something I can do to remove all backslashes possibly? Or maybe a different way to accomplish this?

 

 

magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase are all off.

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted (edited)

strip_tags() is only used once and that's when the data is coming directly from the user. And only if you actually do want to strip out anything that resembles HTML tags.

 

The only thing you truly need* is mysqli_real_escape_string() on the input just before you put it into a query, and htmlspecialchars() or htmlentities() on anything just before you put it into your HTML page. So

1. strip_tags()

2. mres when it goes into the query

3. Retrieve from database

4. htmlspecialchars() when it goes into the HTML

 

* If you haven't otherwise verified that the input is safe. Like numbers are inherently safe.

Edited by requinix
Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Your cleansafelynow function doesn't actually do anything the way you have it written.  You never save the results of those function calls back to $var so all you're doing is returning the same exact data you passed into the function.

 

function cleansafelynow($var) {
   if (get_magic_quotes_gpc()){
      $var=stripslashes($var);
   }
   $var=strip_tags($var);
   $var=htmlspecialchars($var, ENT_QUOTES);
   return $var;
}

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.