this is some 'example text' and is a "test"
and this is what is displayed when its in the database:
this is some \'example text\' and is a \"test\"
is there anyway to stop that? or hide the backslahes?
Thanks, James.
Hi James,
Your question is too vague to give a sensible answer.
What do you mean by 'type into database'?
Do you type directly into the database or do you use a html-form with PHP at
the backend inserting/updating the database?
If the latter, are you sure the backslashes are actually IN the database, or
do you see some output somewhere on a webpage that contains them?
Check this by direct querying the database from commandline. It is very well
possible they are added by PHP, and are stored just fine in the database.
I am not teasing you: The backslashmatter is very important to understand
for a programmer, because it protects against crackattacks like
SQL-injection.
Read more here:
http://nl2.php.net/manual/en/function.addslashes.php
Be sure to follow the links to:
stripslashes(), htmlspecialchars(), and get_magic_quotes_gpc().
Regards,
Erwin Moller
And this is actually what is kept in the db:
this is some \'example text\' and is a \"test\"
so i'm guessing that strip slashes function is what i need to use ...so
i'll try that.
Thanks, James.
Hi James,
OK, I think it might make more sense to avoid adding them in the first
place.
I expect you have somehow a double call to add_slashes().
This happens easily if:
1) magic_quotes_gpc is on.
2) PHP adds slashes before inserting into the db.
Suppose PHP receives formdata for a text element named firstname that
contains quotes and doublequotes, eg
Hel'l"o
if magic_quotes_gpc is on, and you put this into some variable :
$firstname = $_POST["firstname"];
now $firstname contains: Hel\'l\"o
If you call addslashes again, you'll end up with:
Hel\\\'l\\\"o
If you insert that into a database, the database will (correctly) assume
that the \ means escaping the next character, and end up with:
Hel\'l\"o
Regards,
Erwin Moller
PS:
[from http://nl2.php.net/manual/en/function.addslashes.php]
Description
string addslashes ( string str )
Returns a string with backslashes before characters that need to be quoted
in database queries etc. These characters are single quote ('), double
quote ("), backslash (\) and NUL (the NULL byte).
An example use of addslashes() is when you're entering data into a database.
For example, to insert the name O'reilly into a database, you will need to
escape it. Most databases do this with a \ which would mean O\'reilly. This
would only be to get the data into the database, the extra \ will not be
inserted. Having the PHP directive magic_quotes_sybase set to on will mean
' is instead escaped with another '.
The PHP directive magic_quotes_gpc is on by default, and it essentially runs
addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on
strings that have already been escaped with magic_quotes_gpc as you'll then
do double escaping. The function get_magic_quotes_gpc() may come in handy
for checking this.
I thought i could just tweek the db's collation (whatever that is) to
something that doesnt add those horrible backslahes.
P.S.
Here's my code:
if (isset($_POST['submit'])) {
// form submitted
// set server access variables
// get form input
// check to make sure its all there
// escape input values for greater safety
$Idea_Name = empty($_POST['Idea_Name']) ? die ("ERROR: Enter the
Idea Name") : mysql_escape_string($_POST['Idea_Name']);
$Category = empty($_POST['Category']) ? die ("ERROR: Enter the
Category") : mysql_escape_string($_POST['Category']);
$Idea = empty($_POST['Idea']) ? die ("ERROR: Enter the Idea") :
mysql_escape_string($_POST['Idea']);
// open connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to
connect!");
// select database
mysql_select_db($db) or die ("Unable to select database!");
$date = date("Y-m-d");
$time = date("H:i:s",(time()+6*3600));
$ip = $_SERVER['REMOTE_ADDR'];
// create query
$query = "INSERT INTO ideas (Idea_Name, Category, Idea, Date, Time,
IP_Address) VALUES
('$Idea_Name','$Category','$Idea','$date','$time','$ip')";
//replace sites with your table name
//replace address and description with the filed name
// execute query
$result = mysql_query($query) or die ("Error in query: $query.
".mysql_error());
// print message with ID of inserted record
echo "New record inserted at $time it will now go to the
approvers";
// close connection
mysql_close($connection);
}
And if you need it this is where that page is on the web:
http://flavouredcandy.com/addideas.php
James.
Go back to Erwin's post and read this:
> 1) magic_quotes_gpc is on.
I.e. have a look at your php config settings using phpinfo()