music_lp90 Posted August 4, 2007 Share Posted August 4, 2007 Hi, I think I may have seen topics on here about this before, but I can't seem to find them. I have a text box in a form that sends the text to mysql. My problem is when I submit the form to the mysql database, it puts a back-slash before any quotation marks that I typed in. How can I stop this.For example, if I type we're, it would write it like this we\'re.Here's the upload code. <?php // set time zone to easternputenv("TZ=US/Eastern");// set date variable$date = date("m/d/y");$dbh=mysql_connect ("localhost", "user", "password") or die ('I cannot connect to the database because: ' . mysql_error());mysql_select_db ("dbname");$news1 = $_POST['news1']; $news2 = $_POST['news2']; $news3 = $_POST['news3']; if ($news1 !== "") mysql_query("INSERT INTO news (statement, date) VALUES ('$news1', '$date')");if ($news2 !== "") mysql_query("INSERT INTO news (statement, date) VALUES ('$news2)', '$date')");if ($news3 !== "") mysql_query("INSERT INTO news (statement, date) VALUES ('$news3', '$date')");if ($news1 == "" && $news2 == "" && $news3 == "") echo "No entries made";?> <?php $query = mysql_query('SELECT * FROM `news`'); while ($results = mysql_fetch_array($query)){ echo $results['id'] ." " . $results['date']." " . $results['statement'] . '<br />'; } ?> Thanks for your help! Link to comment Share on other sites More sharing options...
justsomeguy Posted August 4, 2007 Share Posted August 4, 2007 That's not MySQL, it's PHP. You can check if magic quotes are on and remove the slashes if so. $news1 = $_POST['news1']; $news2 = $_POST['news2']; $news3 = $_POST['news3']; if (get_magic_quotes_gpc()){ $news1 = stripslashes($news1); $news2 = stripslashes($news2); $news3 = stripslashes($news3);} Link to comment Share on other sites More sharing options...
jhecht Posted August 4, 2007 Share Posted August 4, 2007 Generally, you dont want to get rid of the slashes unless you're displaying the data. The slashes helps against SQL injection(the most common form of hacking in database using systems. Let's say on another page you're dispaying the data, you just go$sql = "SELECT * FROM news";$ans = mysql_query($sql,$con) or die(mysql_error());//sql and query;while($row = mysql_fetch_assoc($ans)){ $row['news'] = stripslashes($row['news']); //Voila, extra slashes are gone.} Link to comment Share on other sites More sharing options...
music_lp90 Posted August 4, 2007 Author Share Posted August 4, 2007 Thanks for your help. However, I have no idea what happened. I went to try your suggestion and before I did, I tested it just the way it was and it is no longer adding slashes. Link to comment Share on other sites More sharing options...
jhecht Posted August 4, 2007 Share Posted August 4, 2007 If its no longer adding them in the db, you should take an extra step in your insertion code.$news1 = (get_magic_quotes_gpc()) ? $_POST['news1'] : mysql_real_escape_string($_POST['news1'];Repeat that for all the new variables. Basically this checks if magic quotes is on, if so, then the string is automatically escaped, if not, then it uses mysql_real_escape_string to escape things like quotation marks and so on(also, backslashes i believe if they were actually inputted). Do a test on this, to see if there are slashes in the database value that is displayed through another page. If it is, add the line of code given to you before, if not, then ignore it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.