soycharliente Posted May 11, 2007 Share Posted May 11, 2007 I've noticed that when I use the mysql_real_escape_string() function, whenever a single quote (') is entered, it comes out as \' when being rendered. How can I escape the string so that it doesn't do this in the future? Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/ Share on other sites More sharing options...
mjlogan Posted May 11, 2007 Share Posted May 11, 2007 stripslashes is the function you are after. Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-250494 Share on other sites More sharing options...
soycharliente Posted May 11, 2007 Author Share Posted May 11, 2007 And that will save slashes that are inputted as well? Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-250497 Share on other sites More sharing options...
mjlogan Posted May 11, 2007 Share Posted May 11, 2007 $variable = "\\'s"; $variable = mysql_real_escape_string($variable); echo $variable."\n"; $variable = stripslashes($variable); echo $variable; Input => mysql_real_escape_string => stripslashes 's => \'s => 's \'s => \\\'s => \'s \\'s = > \\\'s => \'s Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-250512 Share on other sites More sharing options...
soycharliente Posted May 11, 2007 Author Share Posted May 11, 2007 VERY NICE! GREAT SUCCESS! Gracias. Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-250514 Share on other sites More sharing options...
per1os Posted May 11, 2007 Share Posted May 11, 2007 Wow you never want to stripslashes of data coming out of a database bud. There is this magical function called get_magic_quotes_gpc that tells you whether the data coming from a form has been sanitized or not. I would suggest using this function: <?php function myEscape($string) { $string = get_magic_quotes_gpc()?stripslashes($string):$string; // since there is a difference between addslashes and mysql_real_esacpe_string return mysql_real_escape_string($string); // escape data properly. } ?> This way the data only get's santizied if it has not been before. That way when you pull data out of the DB you do not have to stripslashes on it! A rule of thumb, you should never have to stripslashes of data coming out of a database. Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-250546 Share on other sites More sharing options...
soycharliente Posted May 11, 2007 Author Share Posted May 11, 2007 <?php function myEscape($string) { return get_magic_quotes_gpc()?mysql_real_escape_string($string):$string; } ?> I don't understand what that does. Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-250548 Share on other sites More sharing options...
per1os Posted May 11, 2007 Share Posted May 11, 2007 <?php function myEscape($string) { return get_magic_quotes_gpc()?mysql_real_escape_string($string):$string; } ?> I don't understand what that does. I updated it due to some new insight, anyhow here it is commented <?php function myEscape($string) { // if magic quotes are on strip the slashes so we can use the proper mysql escapage. $string = get_magic_quotes_gpc()?stripslashes($string):$string; // since there is a difference between addslashes and mysql_real_esacpe_string return mysql_real_escape_string($string); // escape data properly. } ?> Basically the ? and : is the ternary operator meaning if get_magic_quotes_gpc is on than stripslashes on $string else leave $string alone and assign what came from it to $string. Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-250552 Share on other sites More sharing options...
Trium918 Posted May 16, 2007 Share Posted May 16, 2007 How would do you apply this to a script? Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-254156 Share on other sites More sharing options...
per1os Posted May 17, 2007 Share Posted May 17, 2007 anytime post or get data is to be processed put this at the top <?php include('databaseconnectionhere.php'); function myEscape($string) { // if magic quotes are on strip the slashes so we can use the proper mysql escapage. $string = get_magic_quotes_gpc()?stripslashes($string):$string; // since there is a difference between addslashes and mysql_real_esacpe_string return mysql_real_escape_string($string); // escape data properly. } if (isset($_POST)) { foreach ($_POST as $key => $val) { $_POST[$key] = myEscape($val); } } if (isset($_GET)) { foreach ($_GET as $key => $val) { $_GET[$key] = myEscape($val); } } ?> Link to comment https://forums.phpfreaks.com/topic/50927-solved-using-mysql_real_escape_string/#findComment-255027 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.