PHP automatically generate a slash when adding record to database

[Deepzone]

Can anyone tell me how to prevent a slash from auto-generated when inserting a string that has a apostophe.  Example can't become can\'t.  Thanks,

[PaulRyan]

That what escaping data does, you have to remove it via stripslashes when outputting to the end user.

Edited March 23, 2013 by PaulRyan

[Barand]

No, Paul, you shouldn't be writing it to the database in the first place.

 

If you have magic_quotes ON then a slash is added for you automatically, so it is received in the POST as can\'t. If you then escape it with real_escape_string it becomes can\\\'t, which then gets written to the database as can\'t.

 

To avoid it, use stripslashes if magic quotes is ON before escaping. This way the escaped value is can\'t which is written to the db as can't (correctly)

[Deepzone]

I debugged it and found the slash was generated by real_escape_string function.  I use this function to sanitize the capture to prevent sql injection.  So shall I use the stripslashes after this function?  But then if user does need to input a slash, what do I do?

[PaulRyan]

Barand, thanks for pointing that out. I just assumed that is what happened, I've had magic_quotes on all along it seems, must have forgotten to turn them off with my new install on my computer.

[Jessica]

Strip slashes only removes the escape slashes like \'

[Barand]

I debugged it and found the slash was generated by real_escape_string function.  I use this function to sanitize the capture to prevent sql injection.  So shall I use the stripslashes after this function?  But then if user does need to input a slash, what do I do?

 

use something like this

 

function sanitize($data)
{
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
    }
    return mysqli_real_escape_string($data);
}