Jump to content

Stripslashes


Manny
 Share

Recommended Posts

I have a search form on my website but having a big problem with it.The form works fine if the data submitted to it doesn't have ' or " in it. But if it does, even with the use of stripslashes, it is still bringing back a result with a trailing \.The data passed from the variable then makes use of the mysql_real_escape_string function to search the database, which is doubling the trailing \'s.Here is the stripslashes code I am using:

$searchRequest = stripslashes($_GET['s']);

Using the search term "Joey O'Brien", the result of that would be Joey O\'Brien. Then, using the mysql_real_escape_string function, it displays "Joey O\\'Brien". I tried it without stripslashes and my results were "Joey O\\'Brien" and "Joey O\\\\'Brien".I've used stripslashes plenty of times in the past, but I don't understand why the number of preceeding \'s aren't what I expect and don't know how to get rid of them.

Link to comment
Share on other sites

Had already tried using stripslashes twice, it works but then when it is needed for the mysql_real_escape_string function, where a single slash needs to be, it doesn't work.It's baffled me a little bit.

Link to comment
Share on other sites

Your server might have Magic Quotes activated. This feature automatically escapes quotes from user input. So you have to use stripslashes() on the string right when you receive it from POST or GET

Link to comment
Share on other sites

I'll post some code so maybe someone can see where I'm going wrong.Here is the Magic Quotes section of the PHP.ini file:

; Magic quotes for incoming GET/POST/Cookie data.magic_quotes_gpc = Off; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.magic_quotes_runtime = Off	; Use Sybase-style magic quotes (escape ' with '' instead of \').magic_quotes_sybase = Off

magic_quotes_gpc had been "On", but after turned "Off" still gives the same problem.Like I said, the example I used was the term "Joey O'Brien". After using stripslashes, still returns "Joey O\'Brien". I can use stripslashes twice, but then when it comes to mysql_real_escape_string, the slash doesn't go back in meaning the query doesn't execute.Here is the PHP file that gathers the information from the "s" variable at the end of the URL. It stores it in the $searchRequest variable and loads data from the "searchresults.php" file.

<?//Create variable for the search term$searchRequest = stripslashes($_GET['s']);//If no search term is present, load the index pageif (!isset($_GET['s'])) { header("Location: " . $siteURL . ""); }else {$pageName = "Search Results: " .  $searchRequest .  "";require(searchresults.php);}?>

searchresults.phpI believe the problems to be in sections 2 and 8 (ie The queries).

<? //Pagination//1. Get current page number. Set to 1 if value is not present			if (isset($_GET['page'])) { $page = $_GET['page']; } else { $page = 1; }//2. Identify how many rows are selected$query = "  SELECT COUNT(*) FROM `news_archive` WHERE `Keywords` LIKE CONVERT( _utf8 '%" . mysql_real_escape_string($searchRequest) . "%' USING latin1 ) COLLATE latin1_swedish_ci";$result = mysql_query($query, $connection) or trigger_error("SQL", E_USER_ERROR);$query_data = mysql_fetch_row($result);$numrows = $query_data[0];//3. Calculate the number of $lastpage//This code uses the values in $rows_per_page and $numrows in order to identify the number of the last page.$rows_per_page = 11;$lastpage	  = ceil($numrows/$rows_per_page);//4. Ensure that $pageno is within range//This code checks that the value of $pageno is an integer between 1 and $lastpage$page = (int)$page;if ($page > $lastpage) { $page = $lastpage; }if ($page < 1) { $page = 1; }//5. Construct LIMIT clause$limit = 'LIMIT ' .($page - 1) * $rows_per_page .',' .$rows_per_page;//6. Paginationif(($numrows > $rows_per_page) && $searchRequest != '') {echo '			<div class="titlestrip_sub_paging">				';if (($page != 1) && ($numrows > $rows_per_page)) { $prevpage = $page-1;echo '				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=1">FIRST</a>				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $prevpage, '">PREV</a>';}//Next we inform the user of his current position in the sequence of available pages.if ($numrows > $rows_per_page) { echo '				( Page ', $page, ' of ', $lastpage, ' )';}//This code will provide the links for any following pages.if (($page != $lastpage) && ($numrows > $rows_per_page)) { $nextpage = $page+1;echo '				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $nextpage, '">NEXT</a>				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $lastpage, '">LAST</a>';}echo '			</div>';}//7. If there are no returns from the search, display a message to notify the userif(($numrows == '0') || ($searchRequest == '')) {	echo '			<p id="newsbody">				Your search - <b>', $searchRequest, '</b> - did not return any results.<br />				<br />				Suggestions:<br />				• Make sure all words are spelled correctly.<br />				• Try different keywords.			</p>';}if($searchRequest != ''){//8. Issue the database query$sqlstatement = "SELECT `ID`, `Title`, `Story` FROM `news_archive` WHERE `Keywords` LIKE CONVERT( _utf8 '%" . mysql_real_escape_string($searchRequest) . "%' USING latin1 ) COLLATE latin1_swedish_ci ORDER BY `ID` DESC $limit";$sql_result = mysql_query($sqlstatement,$connection) or die("<p>Content could not be displayed.</p>");echo $sqlstatement;//Open loop and define variableswhile ($row = mysql_fetch_array($sql_result)){$fulldescription = explode("<br />",$row["Story"]);$length = (strlen($fulldescription[0]));$lengthlimit = "150";$description = substr($fulldescription[0], 0, $lengthlimit);//9. Display the news archiveecho '			<div class="archiveitem">				<a href="', $siteURL, '/news/?id=', $row["ID"], '">', $row["Title"], '</a>				<p>', $description, ''; if ($length > $lengthlimit) { echo '... <a href="', $siteURL, '/news/?id=', $row["ID"], '">More >></a>'; } echo '</p>			</div>';}}//10. Paginationif(($numrows > $rows_per_page) && $searchRequest != '') {echo '			<div class="titlestrip_sub_paging">				';if (($page != 1) && ($numrows > $rows_per_page)) { $prevpage = $page-1;echo '				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=1">FIRST</a>				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $prevpage, '">PREV</a>';}//Next we inform the user of his current position in the sequence of available pages.if ($numrows > $rows_per_page) { echo '				( Page ', $page, ' of ', $lastpage, ' )';}//This code will provide the links for any following pages.if (($page != $lastpage) && ($numrows > $rows_per_page)) { $nextpage = $page+1;echo '				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $nextpage, '">NEXT</a>				<a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $lastpage, '">LAST</a>';}echo '			</div>';}

Edited by Manny
Link to comment
Share on other sites

I've found the problem, but still not managed to solve it yet.At the start of my scripts I include a SMF.ssi file for integration with my SMF forum. I took this out and the form works as it should have done at the beginning. Problem is, I need the SMF file in my script. I've searched the web and not found an answer so I guess the best bet would be to pay SMF a visit.

Link to comment
Share on other sites

SMF is just escaping everything itself. So, if you use that file then you'll need to strip it yourself also. Using mysql_real_escape_string should never be a problem, it should always add slashes before any necessary characters, regardless of whether or not they've been escaped or stripped or whatever.

Link to comment
Share on other sites

How do you mean?I've not edited the smf.ssi file in anyway, I call it like this:

require("/Path/To/File/SSI.php");

Then, as shown in my first post:

$searchRequest = stripslashes($_GET['s']);

So we're guessing SMF is causing the \' to still be there even after the stripslashes line. What should I be changing? If possible I want to try and avoid editing the SMF file.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...