Jump to content

Slashes Problem.


paulmo
 Share

Recommended Posts

All is good in MySQL production text field (5.1.37), but slashes remaining from hosted server (4.1.24). Notes/code below. Thanks in advance for help.

$message = $_POST['message'];$message = trim($message);// commenting this out removed slashes in production, but not on hosted server: $message = addslashes(strip_tags($message));$message = mysql_real_escape_string($message);

Edited by paulmo
Link to comment
Share on other sites

mysql_real_escape_string() is to only be used when adding strings onto a MySQL query.addslashes(strip_tags($message)) is to be used any time any data is to have HTML tags removed, and slashes added to it in front of quotes, backslash and null.I'm not sure I understand the problem... are you trying to migrate to a newer version of MySQL? If so, I'd suggest you use MySQLi instead, and use mysqli_real_escape_string() upon reinserting the old data into the new database.

Link to comment
Share on other sites

as robot said addslashes will add slashes to your ', ",NULL,\and mysql_real_escape also add slashes to escape special character. so it is doing some thing like same thing two times.for escaping data before mysql query mysql_real_escape_string is more apropiate and secure. and if your magic quotes is on in host it will also add slashes in every cookie,post,get data.may be your magic quote is on your host. thats why you are data are being slashed. i faced same problem some days ago.

Edited by birbal
Link to comment
Share on other sites

Just upgraded my db to MySQL 5.0.91 on the hosted server end and still get let\'s and that\'s on echoes.
On echoes? Really? On plain echo, with no processing after the extraction from the DB? This can only mean one thing - your data is damaged due to escaping previously escaped data. Usually happens when magic quotes are on.You might want to fix it by extracting the data (a plain select query), calling stripslashes() on it, then calling mysqli_real_escape_string(), and reinserting it into the DB. It may look as if you aren't doing anything, but if you do that, and only that (no additional processing), you'll reinstert the data appropriately.
Link to comment
Share on other sites

Actually it's being inserted in the db table with the slashes also. And by echo I mean after the mysql_query statement, a while loop, then the echo. So that doesn't seem to include processing. Again, this is not happening in testing environ. on my laptop with nearly identical MySQL versions, and I've got the tables set up identically.Boen: just tried $message = stripslashes($message); before insertion, and that did not fix problem going in to db, or coming out on query.

Edited by paulmo
Link to comment
Share on other sites

I'm not saying that you do stripslashes() on newly inserted data. Do it on the existing data, and then reinsert that data as if it's new data - with mysqli_real_escape_string() and everything.The problem is not the new MySQL version, but the different PHP versions on your testing and production server. Call phpinfo() on the production server, and you might find it's PHP4, and not PHP5. That, or simply that magic_quotes_gpc is set to true (1).Once you reinsert the old data properly, to make the new data work, assuming that magic_quotes_gpc is indeed the culprit, ask your host if they could set that setting to false. If they won't allow you for whatever reason, add this code into a separate PHP file, and require_once it from the top of every other PHP file you have:

<?phpif (get_magic_quotes_gpc()) {	foreach($_GET as $key => $value) {		$_GET[$key] = stripslashes($value);	}	foreach($_POST as $key => $value) {		$_POST[$key] = stripslashes($value);	}	foreach($_COOKIE as $key => $value) {		$_COOKIE[$key] = stripslashes($value);	}	foreach($_REQUEST as $key => $value) {		$_REQUEST[$key] = stripslashes($value);	}}?>

Link to comment
Share on other sites

Thanks for all that Boen. PHP v. 5.3 in testing and 5.x on production server. So if I ask host to set magic_quotes_gpc to false I'll be good? Are magic_quotes useful to have otherwise? Re-inserting data seems like a work-around, but thanks for your code. Also, I tried mysqli_real_escape string and for some reason anything with mysqli never works, but mysql does...

Link to comment
Share on other sites

Use stripslashes to remove the slashes escaping the quotes. PHP is automatically adding those because magic quotes is probably enabled.http://www.php.net/manual/en/function.stripslashes.phpIf you want, you can use this function, this will get a value from $_POST or $_GET ($_POST takes priority), and it will trim the data and strip slashes if magic quotes is enabled:
/*get a variable from post or get*/function form_var($str){  $retval = '';  if (isset($_POST[$str]))	$retval = $_POST[$str];  elseif (isset($_GET[$str]))	$retval = $_GET[$str];  if (is_array($retval))  {	foreach ($retval as $k => $v)	{	  $retval[$k] = trim($v);	  if (get_magic_quotes_gpc())		$retval[$k] = stripslashes($v);	}  }  else  {	$retval = trim($retval);	if (get_magic_quotes_gpc())	  $retval = stripslashes($retval);  }  return $retval;}

e.g.:$regerr = form_var('yourvar');

2) you can add additonal php.ini (if your host suports that) where you can set magic_quote off (i used that for my problem) :)3) or you can ask your host for thatmagic quote cant be off at runtime.magic quote is not nescary..it will be ommited from php 6 .may be it can help youhttp://w3schools.invisionzone.com/index.php?showtopic=34151 Edited by birbal
Link to comment
Share on other sites

Thanks Birbal! I went with your 2). If anyone has this problem just name this php5.ini and upload to server:

; Magic quotes;; Magic quotes for incoming GET/POST/Cookie data.magic_quotes_gpc = Off; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.magic_quotes_runtime = Off; Use Sybase-style magic quotes (escape ' with '' instead of \').magic_quotes_sybase = Off

Works like a charm.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...