Jump to content

Unwanted backslashes


Go to solution Solved by mac_gyver,

Recommended Posts

Hello.

 

I have a problem when I send an article to DB from the server (in localhost everything is working fine). So, the news_post (textarea) is sending backslashes before single and double quotes, broking embed elements (images, videos, etc.). The articles are sent to DB throught this coide:

 

 

 

[code
if (isset($_POST["publish-p"]))
{
    $link = mysqli_connect("CONNECTION DATA") or die("Error " . mysqli_error($link));
    $categoria= mysqli_real_escape_string($link, $_POST['categoria']);
    $categoria2= mysqli_real_escape_string($link, $_POST['categoria2']);
    $destaque= mysqli_real_escape_string($link, $_POST['destaque']);
    $publicado= mysqli_real_escape_string($link, $_POST['publicado']);
    $news_title= mysqli_real_escape_string($link, $_POST['news_title']);
    $news_slug= mysqli_real_escape_string($link, $_POST['news_slug']. '-' . date('d-m-Y'));
    $news_subtitle= mysqli_real_escape_string($link, $_POST['news_subtitle']);
    $news_desc= mysqli_real_escape_string($link, $_POST['news_desc']);
    $news_post= mysqli_real_escape_string($link, $_POST['news_post']);
    $news_date= mysqli_real_escape_string($link, $_POST['news_date']);
    $hour= mysqli_real_escape_string($link, date('H:i'));
    $news_image= mysqli_real_escape_string($link, $_POST['news_image']);
    $copyright= mysqli_real_escape_string($link, $_POST['copyright']);
 
 
    $publish="INSERT INTO news
                  (news_guid, categoria, categoria2, destaque, publicado, news_title, news_slug, news_subtitle,
                   news_desc, news_post, news_date, hour, news_image,  copyright)
               VALUES
                   (uuid(), '$categoria', '$categoria2', '$destaque', '$publicado', '$news_title', '$news_slug', '$news_subtitle',
                    '$news_desc', '$news_post', '$news_date', '$hour', '$news_image', '$copyright')";

[/code]

 

 

Link to comment
https://forums.phpfreaks.com/topic/294889-unwanted-backslashes/
Share on other sites

your server has magic_quotes_gpc on, see this link - http://php.net/manual/en/security.magicquotes.php

 

you either need to turn the setting off, upgrade your php version, or you need to detect if the setting is on in your code and use stripslashes() on the data before you apply your own escaping to the data.

  • Solution

use the get_magic_quotes_gpc() function in some conditional logic -

if (get_magic_quotes_gpc()) {
    $_POST['categoria'] = stripslashes($_POST['categoria']); // example for one value
}

if you have a bunch of data values to apply this to, you can use php's array_map() (single dimensional data only) or array_walk_recursive() (multi-dimensional data, requires a user written call-back function) to apply stripslashes() to every element of the $_POST array so that you don't need to write out code for each different post variable.

Thanks. I'm trying to apply get_magic_quotes with my code, but with no result.

 

 

 

 

if (isset($_POST["publish-p"]))
{
    $link = mysqli_connect("connection data") or die("Error " . mysqli_error($link));
    $categoria= mysqli_real_escape_string($link, $_POST['categoria']);
    $categoria2= mysqli_real_escape_string($link, $_POST['categoria2']);
    $destaque= mysqli_real_escape_string($link, $_POST['destaque']);
    $publicado= mysqli_real_escape_string($link, $_POST['publicado']);
    $news_title= mysqli_real_escape_string($link, $_POST['news_title']);
    $news_slug= mysqli_real_escape_string($link, $_POST['news_slug']. '-' . date('d-m-Y'));
    $news_subtitle= mysqli_real_escape_string($link, $_POST['news_subtitle']);
    $news_desc= mysqli_real_escape_string($link, $_POST['news_desc']);
    $news_post= mysqli_real_escape_string($link, $_POST['news_post']);
    $news_date= mysqli_real_escape_string($link, $_POST['news_date']);
    $hour= mysqli_real_escape_string($link, date('H:i'));
    $news_image= mysqli_real_escape_string($link, $_POST['news_image']);
    $copyright= mysqli_real_escape_string($link, $_POST['copyright']);
 
if (get_magic_quotes_gpc()) {
    $_POST['news_post'] = stripslashes($_POST['news_post']); // example for one value
}
 
 
    $publish="INSERT INTO news
                  (news_guid, categoria, categoria2, destaque, publicado, news_title, news_slug, news_subtitle,
                   news_desc, news_post, news_date, hour, news_image,  copyright)
               VALUES
                   (uuid(), '$categoria', '$categoria2', '$destaque', '$publicado', '$news_title', '$news_slug', '$news_subtitle',
                    '$news_desc', '$news_post', '$news_date', '$hour', '$news_image', '$copyright')";
    mysqli_query($link, $publish) OR DIE(mysql_error());
    //mensagem após submeter dados
    $message = "<script>alert('Notícia publicada!');</script>";
 

 

 

Edited by cdmafra
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.