Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Backslashes all other the place

0 views
Skip to first unread message

James54321

unread,
Oct 24, 2006, 9:23:45 AM10/24/06
to
Ok so this is the text i type into the database:

this is some 'example text' and is a "test"

and this is what is displayed when its in the database:

this is some \'example text\' and is a \"test\"

is there anyway to stop that? or hide the backslahes?

Thanks, James.

Erwin Moller

unread,
Oct 24, 2006, 10:09:59 AM10/24/06
to
James54321 wrote:

Hi James,

Your question is too vague to give a sensible answer.
What do you mean by 'type into database'?
Do you type directly into the database or do you use a html-form with PHP at
the backend inserting/updating the database?

If the latter, are you sure the backslashes are actually IN the database, or
do you see some output somewhere on a webpage that contains them?
Check this by direct querying the database from commandline. It is very well
possible they are added by PHP, and are stored just fine in the database.

I am not teasing you: The backslashmatter is very important to understand
for a programmer, because it protects against crackattacks like
SQL-injection.

Read more here:
http://nl2.php.net/manual/en/function.addslashes.php

Be sure to follow the links to:
stripslashes(), htmlspecialchars(), and get_magic_quotes_gpc().

Regards,
Erwin Moller

James54321

unread,
Oct 24, 2006, 10:15:55 AM10/24/06
to
Ok then it gets submitted via a html/php page i made that then inserts
it into the databsase.

And this is actually what is kept in the db:
this is some \'example text\' and is a \"test\"

so i'm guessing that strip slashes function is what i need to use ...so
i'll try that.

Thanks, James.

Erwin Moller

unread,
Oct 24, 2006, 10:32:20 AM10/24/06
to
James54321 wrote:

Hi James,

OK, I think it might make more sense to avoid adding them in the first
place.
I expect you have somehow a double call to add_slashes().
This happens easily if:
1) magic_quotes_gpc is on.
2) PHP adds slashes before inserting into the db.

Suppose PHP receives formdata for a text element named firstname that
contains quotes and doublequotes, eg
Hel'l"o

if magic_quotes_gpc is on, and you put this into some variable :
$firstname = $_POST["firstname"];

now $firstname contains: Hel\'l\"o

If you call addslashes again, you'll end up with:
Hel\\\'l\\\"o

If you insert that into a database, the database will (correctly) assume
that the \ means escaping the next character, and end up with:
Hel\'l\"o

Regards,
Erwin Moller

PS:

[from http://nl2.php.net/manual/en/function.addslashes.php]
Description
string addslashes ( string str )

Returns a string with backslashes before characters that need to be quoted
in database queries etc. These characters are single quote ('), double
quote ("), backslash (\) and NUL (the NULL byte).

An example use of addslashes() is when you're entering data into a database.
For example, to insert the name O'reilly into a database, you will need to
escape it. Most databases do this with a \ which would mean O\'reilly. This
would only be to get the data into the database, the extra \ will not be
inserted. Having the PHP directive magic_quotes_sybase set to on will mean
' is instead escaped with another '.

The PHP directive magic_quotes_gpc is on by default, and it essentially runs
addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on
strings that have already been escaped with magic_quotes_gpc as you'll then
do double escaping. The function get_magic_quotes_gpc() may come in handy
for checking this.

James54321

unread,
Oct 24, 2006, 10:49:58 AM10/24/06
to
I dont add slashes (i dont see why anyone would) so to make things
simpler here is the code to eneter items into the db how do i alter it
so my db doesnt have all those backslashes ...or is that for some
reason ie will it kill my code if it isnt there?

I thought i could just tweek the db's collation (whatever that is) to
something that doesnt add those horrible backslahes.

P.S.

Here's my code:

if (isset($_POST['submit'])) {
// form submitted
// set server access variables

// get form input
// check to make sure its all there
// escape input values for greater safety

$Idea_Name = empty($_POST['Idea_Name']) ? die ("ERROR: Enter the
Idea Name") : mysql_escape_string($_POST['Idea_Name']);
$Category = empty($_POST['Category']) ? die ("ERROR: Enter the
Category") : mysql_escape_string($_POST['Category']);
$Idea = empty($_POST['Idea']) ? die ("ERROR: Enter the Idea") :
mysql_escape_string($_POST['Idea']);

// open connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to
connect!");

// select database
mysql_select_db($db) or die ("Unable to select database!");

$date = date("Y-m-d");
$time = date("H:i:s",(time()+6*3600));
$ip = $_SERVER['REMOTE_ADDR'];

// create query
$query = "INSERT INTO ideas (Idea_Name, Category, Idea, Date, Time,
IP_Address) VALUES
('$Idea_Name','$Category','$Idea','$date','$time','$ip')";

//replace sites with your table name
//replace address and description with the filed name

// execute query
$result = mysql_query($query) or die ("Error in query: $query.
".mysql_error());

// print message with ID of inserted record
echo "New record inserted at $time it will now go to the
approvers";

// close connection
mysql_close($connection);
}

And if you need it this is where that page is on the web:
http://flavouredcandy.com/addideas.php

James.

Juliette

unread,
Oct 24, 2006, 7:32:49 PM10/24/06
to


Go back to Erwin's post and read this:

> 1) magic_quotes_gpc is on.

I.e. have a look at your php config settings using phpinfo()

0 new messages