Posted by Erwin Moller on 10/24/06 14:32

James54321 wrote:

> Ok then it gets submitted via a html/php page i made that then inserts
> it into the databsase.
>
> And this is actually what is kept in the db:
> this is some \'example text\' and is a \"test\"
>
> so i'm guessing that strip slashes function is what i need to use ...so
> i'll try that.
>
> Thanks, James.

Hi James,

OK, I think it might make more sense to avoid adding them in the first
place.
I expect you have somehow a double call to add_slashes().
This happens easily if:
1) magic_quotes_gpc is on.
2) PHP adds slashes before inserting into the db.

Suppose PHP receives formdata for a text element named firstname that
contains quotes and doublequotes, eg
Hel'l"o

if magic_quotes_gpc is on, and you put this into some variable :
$firstname = $_POST["firstname"];

now $firstname contains: Hel\'l\"o

If you call addslashes again, you'll end up with:
Hel\\\'l\\\"o

If you insert that into a database, the database will (correctly) assume
that the \ means escaping the next character, and end up with:
Hel\'l\"o

Regards,
Erwin Moller

PS:

[from http://nl2.php.net/manual/en/function.addslashes.php]
Description
string addslashes ( string str )

Returns a string with backslashes before characters that need to be quoted
in database queries etc. These characters are single quote ('), double
quote ("), backslash (\) and NUL (the NULL byte).

An example use of addslashes() is when you're entering data into a database.
For example, to insert the name O'reilly into a database, you will need to
escape it. Most databases do this with a \ which would mean O\'reilly. This
would only be to get the data into the database, the extra \ will not be
inserted. Having the PHP directive magic_quotes_sybase set to on will mean
' is instead escaped with another '.

The PHP directive magic_quotes_gpc is on by default, and it essentially runs
addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on
strings that have already been escaped with magic_quotes_gpc as you'll then
do double escaping. The function get_magic_quotes_gpc() may come in handy
for checking this.

• Next in forum: Re: How do you delete a zip file from a directory?
• Prev in forum: Re: Password Protected directory - grabbing uname
• Thread view: Re: Backslashes all other the place

[Reply to this message]