A question about forums.

[killboy]

Hi there. I am making a forums like these with PHP.I know that before you store the text on the DB you need to escape it with a function like mysql_real_escape_string(), that way, special characters would appear escaped. My question is: how can I make them appear unescaped when the other users are going to read the text?I dunno if it's easy, but I can't really figure it out.P.S.: Thanks for any help.

[justsomeguy]

You don't need to do anything. You're not saving the escaped characters in the database, you're saving the original characters. Escaping them just tells MySQL that you want to save the character instead of doing something else, like using a quote to end a string. You don't want to end the string with the quote, you want to store it in the database. Escaping it tells SQL that you want to store the character and not end the string, for example. But it doesn't store the escape sequence in the database, just the character.

[killboy]

Really??That's not happening to me. It is actually saving the escape sequence.Am I doing a bad storage?If I want to store a value caught through POST on the DB, here's what I do:

$value=$_POST['value'];$value=mysql_real_escape_string($value);$query="insert into [table] values ('".$value."')";mysql_query($query);

Is that wrong?

[zppblood]

Check to see if you have magic quotes enabled: get_magic_quotes_gpc(); returns 0 if off 1 if on.From PHP.netNote: If the directive magic_quotes_sybase is ON it will completely override magic_quotes_gpc. So even when get_magic_quotes_gpc() returns TRUE neither double quotes, backslashes or NUL's will be escaped. Only single quotes will be escaped. In this case they'll look like: ''

[Synook]

You can call stripslashes() on the queried string.

[killboy]

You can call stripslashes() on the queried string.

How about that? It worked!Thanks for the suggestion Synook; and thanks to everyone who replied. Problem solved.

[justsomeguy]

It's good to use your own escaping function where you can check for magic quotes. Magic quotes is gone as of PHP6, but until then we still have to deal with it. So instead of just using mysql_real_escape_string, use a function that will strip the slashes if necessary.

function esc_str($str){  if (get_magic_quotes_gpc())	$str = stripslashes($str);  return mysql_real_escape_string($str);}

Personally, I use this function to get a value from either $_POST or $_GET. It will trim and strip slashes if necessary, it searches post first then get, and it will handle arrays correctly.

function form_var($var){  $retval = '';  if (isset($_POST[$var]))	$retval = $_POST[$var];  elseif (isset($_GET[$var]))	$retval = $_GET[$var];  if (is_array($retval))  {	foreach ($retval as $k => $v)	{	  $retval[$k] = trim($v);	  if (get_magic_quotes_gpc())		$retval[$k] = stripslashes($v);	}  }  else  {	$retval = trim($retval);	if (get_magic_quotes_gpc())	  $retval = stripslashes($retval);  }  return $retval;}

e.g. $value = form_var('username');I use that to get the values first and trim and strip slashes, and another function to escape it before I put it in the database. That way no matter what the settings on the server are, the code will work consistently.

[killboy]

As much as I read, I don't get the magic quotes thing. Could anyone explain it to me?Edit:I made a better reading, and finally understood it. I applied justsomeguy's function and it works good now. Looks like that was it, the magic quotes.Thanks for the help people.

[justsomeguy]

Magic quotes is one of those things that they put into PHP to try to make it easier to use but instead it ended up causing problems. Register_globals is another one, that is also gone as of PHP6 (so is safe mode for that matter). If magic quotes is enabled then PHP will automatically escape data from $_GET, $_POST, or $_COOKIE (the GPC in get_magic_quotes_gpc). Settings like magic quotes and register globals just end up making people learning PHP probably more lazy then they should be, if you rely on those things to be enabled then your scripts are going to have problems on other servers. It might just be a good practice to disable those options, or at least be aware of what they do and make sure you're not counting on them being enabled.