issue with " and ' in database fields

[Notretsam]

anytime someone uses ' in a textfield , it always adds don't to database

 

I looked in mysql database and is showing as don't in there.

 

http://www.w3schools.com/php/func_mysqli_real_escape_string.asp

 

I tried adding to database in way above page states, but outputted as don't

 

 

 

 

having similar issue with wrestler names like "The Superstar" Daniel Starr , whenever I pass name across a page, it shows as "The Superstar" Daniel Starr.

 

This time it shows in database as "The Superstar" Daniel Starr , which is because I manually adjusted it in past.

 

I also thought using bind parameters when inserting into database would put a stop to this but guess it doesn't

 

looked online for a solution but having no luck, any advice?

 

 

 

[justsomeguy]

Your server probably has the magic_quotes PHP option enabled, which is relatively ancient. You can use a function like this to return a value from $_GET or $_POST that will be normalized regardless of whether or not magic_quotes is enabled. Values in $_POST will take priority over values in $_GET, and you can pass a default value in case it's not in either. I also have it always trim everything because I haven't found a case where I wouldn't want to do that. This version handles arrays, but only arrays with 1 dimension.

function form_var($var, $default = ''){  $retval = $default;  if (isset($_POST[$var]))    $retval = $_POST[$var];  elseif (isset($_GET[$var]))    $retval = $_GET[$var];  if (is_array($retval))  {    foreach ($retval as $k => $v)    {      $retval[$k] = trim($v);      if (get_magic_quotes_gpc())        $retval[$k] = stripslashes($v);    }  }  else  {    $retval = trim($retval);    if (get_magic_quotes_gpc())      $retval = stripslashes($retval);  }  return $retval;}

[Notretsam]

my hosting company deals with php.ini file settings for me, presume magic_quotes PHP option be in there

 

if i got hosting company to disable it? would that sort it?

[Notretsam]

tried using form_val function

 

tried $libioBio = formval($_POST['newBio']);

 

which didn't add anything to database column

 

first I tried $lilbioBio = formval($lilbioBio); which still added don't to database column

 

tried it with $lilbioBio within formval wrapped in '' and " , all the same

 

think am going have to contact hosting company on it.

 

thanks for the help again JAG

[Notretsam]

well using $bioFinal = stripslashes("$bioFinal");

this sorts the issue when getting info from database

still can't get http://wrestlestarz.com/profile.php?pid=%22The%20Superstar%22%20Daniel%20Starr URL to work, the pid just not picking up with names with "" in them.

[dsonesuk]

What about htaccess as discribed herehttp://php.net/manual/en/security.magicquotes.disabling.php

[Notretsam]

okies fixed it all now, am good

 

really seems to be awkward and ###### trying to sort it when adding to database , which is what i been trying to do for ages.

 

today i looked at a fix for when pulling info from database and stripslashes("$bioFinal") works for me.

[justsomeguy]

Use form_var('newBio'), or whatever the name is in $_GET or $_POST. Don't pass $_GET or $_POST to the function, pass the name of the item you're trying to get. Don't count on stripslashes, use a function like that which will adjust to the settings on the server. You can't guarantee the settings on any server, so write code to check the settings and do what's appropriate.