Manixat Posted November 19, 2012 Share Posted November 19, 2012 (edited) Hey, I ran into this really annoying problem where mysql_real_escape_string adds those backslashes to quotes and displays them whenever I retrieve the data from the database, even sometimes causes the rest of the text to disappear when displaying even though it exists in the database. How can I avoid this problem? I tried stripslashes but the text that is not shown after the quotes is still not shown so this is not a solution and htmlspecialchars wont work because I'm using the information in input boxes and it will show up as the code representing the symbol Edited November 19, 2012 by Manixat Quote Link to comment Share on other sites More sharing options...
trq Posted November 19, 2012 Share Posted November 19, 2012 If there are slashes being saved in your database then you are adding to many when you are escaping your data. Are you checking to see if magic quotes is enabled? Quote Link to comment Share on other sites More sharing options...
Manixat Posted November 19, 2012 Author Share Posted November 19, 2012 I am escaping it once in the beginning of the code. I'm not really familiar with magic quotes but I assume it is a server-side issue and I do not have access to the server configuration :? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 19, 2012 Share Posted November 19, 2012 A) There's a section in the php.net manual about magic quotes. B) If you happen to be on a server where you don't have the ability to disable magic_quotes_gpc (you should be able to do this in a local php.ini when php is running as a cgi application or a htaccess file when php is running as an apache module), you would need to add logic to your script to test if magic_quotes_gpc is on and use stripslashes on the incoming data before you use mysql_real_escape_string on the data. C) You didn't actually state if the \ characters are stored in your database table (they should not be.) If they are not stored in the table, but you get them when you retrieve the data, that means that magic_quotes_runtime is ON, which you can and should turn off in your script. D) The problem of the content not displaying after the ' when you output it in a form field is most likely because you don't have any quotes in your HTML markup surrounding the value= '...' attribute. Quote Link to comment Share on other sites More sharing options...
Manixat Posted November 19, 2012 Author Share Posted November 19, 2012 (edited) Okay so I did the test, before escaping the input (raw $_post) has slashes before quotes which means that magic quotes is on, right? So from there my solution I guess would be to turn it off, but since I have no access to the server I googled about this htaccess method and all I found was this php_flag magic_quotes_gpc off And of course decided to use it, but then it gave me a server internal error Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, webmaster@sdelkata.net and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request. So from here I guess I have to ask you how to disable it properly, or why not leave the input unescaped since it has magic quotes ? And about the "disappearing" content, I found out what the problem is, although I couldn't think of a solution, I have quotes at the value=" " attribute, but if the content contains quotes it closes, eg. value="Meet "Dave"" - and 'Dave' is left out of the value. I thought I could add slashes to the quotes but they appear aswell. Any Ideas? Edited November 19, 2012 by Manixat Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 19, 2012 Share Posted November 19, 2012 (edited) why not leave the input unescaped since it has magic quotes ? Because, magic quotes has been depreciated as of php5.3 and removed as of php5.4. The main security reason for magic quotes being removed from php is because it did not take into account the character set encoding your database connection is using, so it is possible to still inject sql after data has been passed through the escaping done by magic quotes. And about the "disappearing" content, I found out what the problem is, although I couldn't think of a solution That's what htmlentities and htmlspecialchars are for. Use the ENT_QUOTES flag to insure that both single and double quotes are converted to html entities so they won't break your html. Edited November 19, 2012 by PFMaBiSmAd Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.