Re: handling ' with mysql/php insert and select

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, January 3, 2008 1:22 pm, Adam Williams wrote:
> In my form, I am parsing all the text inputs through
> mysql_real_escape_string() before inserting the data.  however, when I
> look at the SQL query in PHP, when I type the word blah's to my text
> box
> variable, and then insert it into mysql after being ran through
> mysql_real_escape_string(), it does:
>
> insert into contract (contract_id, responsibility) VALUES (15,
> 'blah\\\'s')
>
> and when I query the in mysql/PHP it shows:
>
> select responsibility from contract where contract_id = 15;
> +----------------+
> | responsibility |
> +----------------+
> | blah\'s        |
> +----------------+
> 1 row in set (0.00 sec)
>
> and when I run that select statement in PHP it prints blah\'s on the
> screen.  I want it to print back blah's without the \.  So what are my
> options?  run every variable through stripslashes(); before printing
> them to the screen?

TURN OFF MAGIC QUOTES!!!

Sorry for shouting.

Not really, though. :-)

Magic Quotes GPC in php.ini is ALREADY (trying to) escaping your data,
before you filter it.

This is just plain bassakwards, but was conceived back in the good ol'
days when the 'net was a kinder, gentler place.

But since Magic Quotes already escaped the data, and added \' for
every ' that was there, *YOUR* mysql_real_escape_string was adding
\\\' for the original ', because there was already a \ in there from
Magic Quotes, which needs escaping, just as ' does:

Stage 1:
Original data: blah's

Stage 2:
Magic Quotes GPC tells PHP to do this as it crams stuff into $_POST
blah\'s

Stage 3:
mysql_real_escape_string converts that to:
blah\\\'s

Stage 4:
MySQL stores what you told it to store:
blah\'s

Stage 5:
You select it, and you get what you put in:
blah\'s

Magic Quotes GPC should just be turned OFF, period.

If you have any data already put into your database with both Magic
Quotes and mysql_real_escape_string, then you will need to:

  lock the DB
  pull all the data out
  run stripslashes on all affected data
  call mysql_real_escape_string on affected data
  put affected data back in
  turn OFF magic quotes
  unlock the DB

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux