addslashes

[Destramic]

im having problems with my forms. every time i enter the input eg. "o'really" it will return as "o\'really" i have setup my so that it shouldnt happen..here is my file...can anyone help?

.htaccess
[code]
php_value magic_quotes_sybase off
php_value magic_quotes_gpc off
php_value magic_quotes_runtime off
[/code]

[craygo]

it will always return it with the slashes. This makes things much simpler to insert into tables and to display. Just strip the slashes before you display it

[code]<?php
$string = 'O\'rielly';
echo stripslashes($string); //outputs O'rielly
?>[/code]

Ray

[Destramic]

well then there is no point in addslashes when im entering the data into the database? as it will already have slashes?

thanks ricky

[Orio]

I recommend to use this function before entering data into the database. It's because [url=http://www.php.net/manual/en/function.mysql-real-escape-string.php]mysql_real_escape_string()[/url] does a better job compared to magic_quotes.

[code]<?php

function sql_quote($value)
{
if(get_magic_quotes_gpc())
$value = stripslashes($value);
return  mysql_real_escape_string($value);
}

?>[/code]

Orio.

[craygo]

that is correct. magic_quotes_gpc is on by default so no need to do anything. It will be inserted into the database properly. But when you want to display something from the database you will need to stripslashes because php will put the slashes in when displaying fields from the database.

Ray

[Destramic]

thank you...in affect wouldnt using this script be goin back on your self?
striping slashes.
adding slashes (back to square one)?

thanks

[code]
<?php

function sql_quote($value)
{
if(get_magic_quotes_gpc())
$value = stripslashes($value);
return  mysql_real_escape_string($value);
}

?>
[/code]

[Orio]

But mysql_real_escape_string() escapes more things (\x00, \n, \r, \, ', " and \x1a) than addslashes() (', ", \x00). And magic_quotes has the same affect as addslashes().
See [url=http://shiflett.org/archive/184]here[/url] for more info...

Orio.

[alpine]

Nor addslashes or mysql_real_escape_string inserts the slash to the table, it's only added to let the escaped value into the db. So stripslashes is not nessesary to output when fetching value from the db, the slash isn't there anyhow.

Manual: http://no.php.net/manual/en/function.addslashes.php
[quote]
to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted.
[/quote]

[craygo]

Well my version of php and mysql returns the values from the database with the slashes. Even though it is not in the database with slashes, when I echo out the value in php it has the slash. Maybe different for different versions.

Ray

[kenrbnsn]

If [b]magic_quotes_runtime[/b] is enabled, then the quotes in strings returned from the database are escaped.

Ken

[alpine]

....and as default this is set to 0 (Off) in php.ini

[Destramic]

thanks all for your replies...ive found something strange...ive used this function to add slashes before data is added to the database..it does the $_POST array and returns it with slashes as required..but when i call $_POST['name'] it will display with no slash...very wierd? it should have a slash infront of the single quote..

can anyone explain? thanks

[code]

function add_slashes($value)
{
// Check if string exists
if (is_string($value))
{
return addslashes($value);
}
elseif (is_array($value))
{
return array_map('add_slashes', $value);
}
}

//Add slashes
add_slashes($_POST);

print_r(add_slashes($_POST));
echo $_POST['name'];

Array
(
    [name] => o\'really
    [email] => destramic@hotmail.com
    [error_type] => Broken Link
    [reason_occurred] => test
)
o'really
[/code]

[Destramic]

ive gotten it to work now using:
[code]
$_POST = add_slashes($_POST);
[/code]

but when data is in the database..it doesnt have any slashes now..

[Destramic]

anyone know why the function works but when i call $_POST['name'] it doesnt have a slash added