cdmafra Posted February 25, 2015 Share Posted February 25, 2015 Hello. I have a problem when I send an article to DB from the server (in localhost everything is working fine). So, the news_post (textarea) is sending backslashes before single and double quotes, broking embed elements (images, videos, etc.). The articles are sent to DB throught this coide: [codeif (isset($_POST["publish-p"])) { $link = mysqli_connect("CONNECTION DATA") or die("Error " . mysqli_error($link)); $categoria= mysqli_real_escape_string($link, $_POST['categoria']); $categoria2= mysqli_real_escape_string($link, $_POST['categoria2']); $destaque= mysqli_real_escape_string($link, $_POST['destaque']); $publicado= mysqli_real_escape_string($link, $_POST['publicado']); $news_title= mysqli_real_escape_string($link, $_POST['news_title']); $news_slug= mysqli_real_escape_string($link, $_POST['news_slug']. '-' . date('d-m-Y')); $news_subtitle= mysqli_real_escape_string($link, $_POST['news_subtitle']); $news_desc= mysqli_real_escape_string($link, $_POST['news_desc']); $news_post= mysqli_real_escape_string($link, $_POST['news_post']); $news_date= mysqli_real_escape_string($link, $_POST['news_date']); $hour= mysqli_real_escape_string($link, date('H:i')); $news_image= mysqli_real_escape_string($link, $_POST['news_image']); $copyright= mysqli_real_escape_string($link, $_POST['copyright']); $publish="INSERT INTO news (news_guid, categoria, categoria2, destaque, publicado, news_title, news_slug, news_subtitle, news_desc, news_post, news_date, hour, news_image, copyright) VALUES (uuid(), '$categoria', '$categoria2', '$destaque', '$publicado', '$news_title', '$news_slug', '$news_subtitle', '$news_desc', '$news_post', '$news_date', '$hour', '$news_image', '$copyright')"; [/code] Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted February 25, 2015 Share Posted February 25, 2015 your server has magic_quotes_gpc on, see this link - http://php.net/manual/en/security.magicquotes.php you either need to turn the setting off, upgrade your php version, or you need to detect if the setting is on in your code and use stripslashes() on the data before you apply your own escaping to the data. Quote Link to comment Share on other sites More sharing options...
cdmafra Posted February 25, 2015 Author Share Posted February 25, 2015 I believe I can't change anything in my server. How should I apply stripslashes() in this code? Quote Link to comment Share on other sites More sharing options...
Solution mac_gyver Posted February 25, 2015 Solution Share Posted February 25, 2015 use the get_magic_quotes_gpc() function in some conditional logic - if (get_magic_quotes_gpc()) { $_POST['categoria'] = stripslashes($_POST['categoria']); // example for one value } if you have a bunch of data values to apply this to, you can use php's array_map() (single dimensional data only) or array_walk_recursive() (multi-dimensional data, requires a user written call-back function) to apply stripslashes() to every element of the $_POST array so that you don't need to write out code for each different post variable. Quote Link to comment Share on other sites More sharing options...
cdmafra Posted February 25, 2015 Author Share Posted February 25, 2015 (edited) Thanks. I'm trying to apply get_magic_quotes with my code, but with no result. if (isset($_POST["publish-p"])) { $link = mysqli_connect("connection data") or die("Error " . mysqli_error($link)); $categoria= mysqli_real_escape_string($link, $_POST['categoria']); $categoria2= mysqli_real_escape_string($link, $_POST['categoria2']); $destaque= mysqli_real_escape_string($link, $_POST['destaque']); $publicado= mysqli_real_escape_string($link, $_POST['publicado']); $news_title= mysqli_real_escape_string($link, $_POST['news_title']); $news_slug= mysqli_real_escape_string($link, $_POST['news_slug']. '-' . date('d-m-Y')); $news_subtitle= mysqli_real_escape_string($link, $_POST['news_subtitle']); $news_desc= mysqli_real_escape_string($link, $_POST['news_desc']); $news_post= mysqli_real_escape_string($link, $_POST['news_post']); $news_date= mysqli_real_escape_string($link, $_POST['news_date']); $hour= mysqli_real_escape_string($link, date('H:i')); $news_image= mysqli_real_escape_string($link, $_POST['news_image']); $copyright= mysqli_real_escape_string($link, $_POST['copyright']); if (get_magic_quotes_gpc()) { $_POST['news_post'] = stripslashes($_POST['news_post']); // example for one value } $publish="INSERT INTO news (news_guid, categoria, categoria2, destaque, publicado, news_title, news_slug, news_subtitle, news_desc, news_post, news_date, hour, news_image, copyright) VALUES (uuid(), '$categoria', '$categoria2', '$destaque', '$publicado', '$news_title', '$news_slug', '$news_subtitle', '$news_desc', '$news_post', '$news_date', '$hour', '$news_image', '$copyright')"; mysqli_query($link, $publish) OR DIE(mysql_error()); //mensagem após submeter dados $message = "<script>alert('Notícia publicada!');</script>"; Edited February 25, 2015 by cdmafra Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted February 25, 2015 Share Posted February 25, 2015 ... you need to detect if the setting is on in your code and use stripslashes() on the data before you apply your own escaping to the data. the stripslashs() code goes before any code you have to escape the data. 1 Quote Link to comment Share on other sites More sharing options...
cdmafra Posted February 25, 2015 Author Share Posted February 25, 2015 Done, thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.