paulmo Posted October 24, 2010 Share Posted October 24, 2010 All is good in MySQL production text field (5.1.37), but slashes remaining from hosted server (4.1.24). Notes/code below. Thanks in advance for help. $message = $_POST['message'];$message = trim($message);// commenting this out removed slashes in production, but not on hosted server: $message = addslashes(strip_tags($message));$message = mysql_real_escape_string($message); Link to comment Share on other sites More sharing options...
wirehopper Posted October 24, 2010 Share Posted October 24, 2010 I'd address the issue at the database level, not within the code.If you're comfortable with commandline mysql (mysql -uuser database -p), or phpMyAdmin, use them to update the data in the database. Link to comment Share on other sites More sharing options...
boen_robot Posted October 24, 2010 Share Posted October 24, 2010 mysql_real_escape_string() is to only be used when adding strings onto a MySQL query.addslashes(strip_tags($message)) is to be used any time any data is to have HTML tags removed, and slashes added to it in front of quotes, backslash and null.I'm not sure I understand the problem... are you trying to migrate to a newer version of MySQL? If so, I'd suggest you use MySQLi instead, and use mysqli_real_escape_string() upon reinserting the old data into the new database. Link to comment Share on other sites More sharing options...
paulmo Posted October 24, 2010 Author Share Posted October 24, 2010 Just upgraded my db to MySQL 5.0.91 on the hosted server end and still get let\'s and that\'s on echoes. I use phpmyadmin.I do not have this problem in my testing environment, on my laptop, using the code provided. Help? Thanks. Link to comment Share on other sites More sharing options...
birbal Posted October 24, 2010 Share Posted October 24, 2010 as robot said addslashes will add slashes to your ', ",NULL,\and mysql_real_escape also add slashes to escape special character. so it is doing some thing like same thing two times.for escaping data before mysql query mysql_real_escape_string is more apropiate and secure. and if your magic quotes is on in host it will also add slashes in every cookie,post,get data.may be your magic quote is on your host. thats why you are data are being slashed. i faced same problem some days ago. Link to comment Share on other sites More sharing options...
paulmo Posted October 24, 2010 Author Share Posted October 24, 2010 I have addslashes commented OUT. Guess that's unclear in my first post. And I'm already using mysql_real_escape_string. That's in first post too. Any other suggestions? Link to comment Share on other sites More sharing options...
boen_robot Posted October 24, 2010 Share Posted October 24, 2010 Just upgraded my db to MySQL 5.0.91 on the hosted server end and still get let\'s and that\'s on echoes.On echoes? Really? On plain echo, with no processing after the extraction from the DB? This can only mean one thing - your data is damaged due to escaping previously escaped data. Usually happens when magic quotes are on.You might want to fix it by extracting the data (a plain select query), calling stripslashes() on it, then calling mysqli_real_escape_string(), and reinserting it into the DB. It may look as if you aren't doing anything, but if you do that, and only that (no additional processing), you'll reinstert the data appropriately. Link to comment Share on other sites More sharing options...
paulmo Posted October 24, 2010 Author Share Posted October 24, 2010 Actually it's being inserted in the db table with the slashes also. And by echo I mean after the mysql_query statement, a while loop, then the echo. So that doesn't seem to include processing. Again, this is not happening in testing environ. on my laptop with nearly identical MySQL versions, and I've got the tables set up identically.Boen: just tried $message = stripslashes($message); before insertion, and that did not fix problem going in to db, or coming out on query. Link to comment Share on other sites More sharing options...
boen_robot Posted October 25, 2010 Share Posted October 25, 2010 I'm not saying that you do stripslashes() on newly inserted data. Do it on the existing data, and then reinsert that data as if it's new data - with mysqli_real_escape_string() and everything.The problem is not the new MySQL version, but the different PHP versions on your testing and production server. Call phpinfo() on the production server, and you might find it's PHP4, and not PHP5. That, or simply that magic_quotes_gpc is set to true (1).Once you reinsert the old data properly, to make the new data work, assuming that magic_quotes_gpc is indeed the culprit, ask your host if they could set that setting to false. If they won't allow you for whatever reason, add this code into a separate PHP file, and require_once it from the top of every other PHP file you have: <?phpif (get_magic_quotes_gpc()) { foreach($_GET as $key => $value) { $_GET[$key] = stripslashes($value); } foreach($_POST as $key => $value) { $_POST[$key] = stripslashes($value); } foreach($_COOKIE as $key => $value) { $_COOKIE[$key] = stripslashes($value); } foreach($_REQUEST as $key => $value) { $_REQUEST[$key] = stripslashes($value); }}?> Link to comment Share on other sites More sharing options...
paulmo Posted October 25, 2010 Author Share Posted October 25, 2010 Thanks for all that Boen. PHP v. 5.3 in testing and 5.x on production server. So if I ask host to set magic_quotes_gpc to false I'll be good? Are magic_quotes useful to have otherwise? Re-inserting data seems like a work-around, but thanks for your code. Also, I tried mysqli_real_escape string and for some reason anything with mysqli never works, but mysql does... Link to comment Share on other sites More sharing options...
birbal Posted October 25, 2010 Share Posted October 25, 2010 Use stripslashes to remove the slashes escaping the quotes. PHP is automatically adding those because magic quotes is probably enabled.http://www.php.net/manual/en/function.stripslashes.phpIf you want, you can use this function, this will get a value from $_POST or $_GET ($_POST takes priority), and it will trim the data and strip slashes if magic quotes is enabled:/*get a variable from post or get*/function form_var($str){ $retval = ''; if (isset($_POST[$str])) $retval = $_POST[$str]; elseif (isset($_GET[$str])) $retval = $_GET[$str]; if (is_array($retval)) { foreach ($retval as $k => $v) { $retval[$k] = trim($v); if (get_magic_quotes_gpc()) $retval[$k] = stripslashes($v); } } else { $retval = trim($retval); if (get_magic_quotes_gpc()) $retval = stripslashes($retval); } return $retval;} e.g.:$regerr = form_var('yourvar'); 2) you can add additonal php.ini (if your host suports that) where you can set magic_quote off (i used that for my problem) :)3) or you can ask your host for thatmagic quote cant be off at runtime.magic quote is not nescary..it will be ommited from php 6 .may be it can help youhttp://w3schools.invisionzone.com/index.php?showtopic=34151 Link to comment Share on other sites More sharing options...
paulmo Posted October 25, 2010 Author Share Posted October 25, 2010 Thanks Birbal! I went with your 2). If anyone has this problem just name this php5.ini and upload to server: ; Magic quotes;; Magic quotes for incoming GET/POST/Cookie data.magic_quotes_gpc = Off; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.magic_quotes_runtime = Off; Use Sybase-style magic quotes (escape ' with '' instead of \').magic_quotes_sybase = Off Works like a charm. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.