Jump to content

Recommended Posts

Hey,

 

I ran into this really annoying problem where mysql_real_escape_string adds those backslashes to quotes and displays them whenever I retrieve the data from the database, even sometimes causes the rest of the text to disappear when displaying even though it exists in the database. How can I avoid this problem?

 

I tried stripslashes but the text that is not shown after the quotes is still not shown so this is not a solution and htmlspecialchars wont work because I'm using the information in input boxes and it will show up as the code representing the symbol

Edited by Manixat
Link to comment
https://forums.phpfreaks.com/topic/270900-mysql_real_escape_string-adding-slashes/
Share on other sites

A) There's a section in the php.net manual about magic quotes.

 

B) If you happen to be on a server where you don't have the ability to disable magic_quotes_gpc (you should be able to do this in a local php.ini when php is running as a cgi application or a htaccess file when php is running as an apache module), you would need to add logic to your script to test if magic_quotes_gpc is on and use stripslashes on the incoming data before you use mysql_real_escape_string on the data.

 

C) You didn't actually state if the \ characters are stored in your database table (they should not be.) If they are not stored in the table, but you get them when you retrieve the data, that means that magic_quotes_runtime is ON, which you can and should turn off in your script.

 

D) The problem of the content not displaying after the ' when you output it in a form field is most likely because you don't have any quotes in your HTML markup surrounding the value= '...' attribute.

Okay so I did the test, before escaping the input (raw $_post) has slashes before quotes which means that magic quotes is on, right? So from there my solution I guess would be to turn it off, but since I have no access to the server I googled about this htaccess method and all I found was this

 

php_flag magic_quotes_gpc off

 

And of course decided to use it, but then it gave me a server internal error

 

Internal Server Error

 

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@sdelkata.net and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

 

So from here I guess I have to ask you how to disable it properly, or why not leave the input unescaped since it has magic quotes ?

 

And about the "disappearing" content, I found out what the problem is, although I couldn't think of a solution, I have quotes at the value=" " attribute, but if the content contains quotes it closes, eg. value="Meet "Dave"" - and 'Dave' is left out of the value. I thought I could add slashes to the quotes but they appear aswell. Any Ideas?

Edited by Manixat
why not leave the input unescaped since it has magic quotes ?

 

Because, magic quotes has been depreciated as of php5.3 and removed as of php5.4. The main security reason for magic quotes being removed from php is because it did not take into account the character set encoding your database connection is using, so it is possible to still inject sql after data has been passed through the escaping done by magic quotes.

 

And about the "disappearing" content, I found out what the problem is, although I couldn't think of a solution

 

That's what htmlentities and htmlspecialchars are for. Use the ENT_QUOTES flag to insure that both single and double quotes are converted to html entities so they won't break your html.

Edited by PFMaBiSmAd
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.