Menu
I am submitting a form to my MySQL database using PHP.
I am sending the form data through the mysql_real_escape_string($content) function.
When the entry shows up in my database (checking in phpMyAdmin) all of my double quotes and single quotes are escaped.
I'm fairly certain this is a PHP configuration issue?
so:
$content = 'Hi, my name is Jascha and my "favorite" thing to do is sleep';
mysql_real_escape_string($content);
$query = 'INSERT INTO DB...'
comes up in my database as:
Hi, my name is Jascha and my \"favorite" thing to do is sleep
Who do I tell what to do? (I cannot access the php.ini).
266
mysql_real_escape_string() is used to escape special characters like '\','\n' etc in a query string before sending the query to mysql server. The given unescaped_string is encoded and returns an escaped sql string as an output. mysql_real_escape_string() function returns the length of the encoded or escaped sqlstring.
The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.
In PHP, an escape sequence starts with a backslash \ . Escape sequences apply to double-quoted strings. A single-quoted string only uses the escape sequences for a single quote or a backslash.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00 , \n , \r , \ , ' , " and \x1a . This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
If you are getting your $content data from a form (and not "as-is" in the PHP code), maybe you're having a problem because of Magic quotes (see magic_quotes_gpc)
Basically :
When magic_quotes are on, all
'(single-quote),"(double quote),\(backslash) and NUL's are escaped with a backslash automatically
If magic quotes are enabled (you can check this in the ouput of phpinfo(), for instance), you'll be getting that kind of "double escaping" :
mysql_real_escape_string
The good solution, in this case, is not to stop using mysql_real_escape_string, but to disabled magic_quotes_gpc in your configuration...
... But, as you don't have access to it, you'll actually have to "revert" the effect of magic quotes, calling stripslashes on the input you're getting as $_GET and $_POST, before begining using it.
Note : it's an advice that's given on the manual page of mysql_real_escape_string (quoting) :
Note: If
magic_quotes_gpcis enabled, first applystripslashes()to the data. Using this function on data which has already been escaped will escape the data twice.
97
You need to take magic quotes into account when retrieving request data. If get_magic_quotes_gpc() is true, then you need to run stripslashes() on the input. Best way would be to write a function for that. Something like:
function get_string($array, $index, $default = null) {
if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
return get_magic_quotes_gpc() ? stripslashes($value) : $value;
} else {
return $default;
}
}
..which you can use as
$input = get_string($_POST, 'input');
..instead of
$input = $_POST['input'];
Do the same for trivial stuff like get_number(), get_boolean(), get_array() and so on.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
