SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Eastland
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Problem with slashes in data retrieved from db

    Obviously, I need help so I'll try to be brief but thorough.
    I'm using SESSIONS. MySQL 4.0. Magic_quotes_gpc = on.
    My site is set up where members must log-in using their username and password.
    Once they are successfully logged in, they are directed to a page named loginsuccess.php. Assume the logged in member has the following:
    Company Name = Jones & Son's Tractors
    City = Dayton
    State = OH (Ohio)
    The loginsuccess.php page has a welcome statement that says something like
    "Welcome. You are logged in as Jones & Son's Tractors, Dayton, OH."
    (As you will see in a moment, this welcome statement is important)

    This same loginsuccess.php page has a link to a form page that allows each member to update their profile. This form page is named changeregform.php and each field is populated with the information provided by the member at the time of their initial registration.

    After making the necessary changes, the member clicks the submit button and the form is sent to changereg.php, for processing, and immediately returned to the loginsuccess.php page. (provided all goes well)

    HERE IS MY PROBLEM. (finally!)

    Everything works great...the fields in my db get updated, however, when the member is redirected to the loginsuccess.php page the welcome statement now reads
    "Welcome. You are logged in as Jones & Son\'s Tractors, Dayton, OH."
    And, if the member again clicks on the link to make additional updates, the Company Name field now reads Jones & Son\'s Tractors even though the database field reads Jones & Son's Tractors. I don't understand how the value of the $_SESSION['coname']) got changed to incude the backslash (\).
    I don't understand why everything is displayed ok after a member logs in but has the backslashes after processing the update form.
    I have read many posts about "addslashes" and "stripslashes"...I have tried stripslashes and still have the problem. Being a newbie I'm not sure I had the stripslashes in the right place. I hope there is a way around having to "add/stripslashes". I've read that this leads to problems down the road and I've had enough problems already. Would rather get things set up right from the beginning. Have also read where it is best to turn magic_quotes off. I can probably figure out how to do it but will it solve my problem?

    Here are a few snippets of code from the pages:

    An example of one of the form field properties of the changeregform.php page
    <input type="text" name="coname" value="<?echo ($_SESSION['coname']);?>"

    Here is the bulk of the code on changereg.php

    //== IF USER WANTS TO CHANGE REGISTRATION INFORMATION =====

    if (isset($_POST['submitchangeregform'])) {
    $id = $_POST['id'];
    $coname = $_POST['coname'];
    $dealernum = $_POST['dealernum'];
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $street = $_POST['street'];
    $city = $_POST['city'];
    $state = $_POST['state'];
    $zip = $_POST['zip'];
    $phone = $_POST['phone'];
    $fax = $_POST['fax'];
    $bstreet = $_POST['bstreet'];
    $bcity = $_POST['bcity'];
    $bstate = $_POST['bstate'];
    $bzip = $_POST['bzip'];
    $bphone = $_POST['bphone'];
    $bfax = $_POST['bfax'];
    $email = $_POST['email'];
    $username = $_POST['username'];

    }
    $query = "SELECT * FROM memreg WHERE ID='$id'";
    $result = @mysql_query ($query);
    $num = mysql_num_rows($result);
    if ($num == 1){
    $row = mysql_fetch_array($result, MYSQL_NUM);

    //=== UPDATING MEMREG TABLE ====
    $sql = "UPDATE memreg SET
    coname='$coname',
    dealernum='$dealernum',
    firstname='$firstname',
    lastname='$lastname',
    street='$street',
    city='$city',
    state='$state',
    zip='$zip',
    phone='$phone',
    fax='$fax',
    bstreet='$bstreet',
    bcity='$bcity',
    bstate='$bstate',
    bzip='$bzip',
    bphone='$bphone',
    bfax='$bfax',
    email='$email',
    username='$username',
    date=CURDATE()+0
    WHERE ID='$id'";

    }
    // ==CHECK QUERY AND REDIRECT ==
    if (@mysql_query($sql)) {
    echo('<div align="center"><p><b><font face="Arial" size="3" color="#000080">"Your requested changes have been made."</font></b><br /></p>');
    include 'loginsuccess.php';
    } else {
    echo('<div align="center"><p>Error Submitting Your Registration:.mysql_error().</p>');
    }

    Sorry for the length of this post and I appreciate any help that is offered. drb10
    Last edited by drb10; Jan 25, 2005 at 21:16. Reason: more info

  2. #2
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    California
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    it's cause you have magic quotes turned on. turn them off and just make sure you manually escape stuff sent to a mySQL query.

  3. #3

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess magic_quotes_runtime is ON, turning it off in your php.ini, via .htaccess (if you have Apache) or by set_magic_quotes_runtime might help.

  4. #4
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Eastland
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My understanding is that with magic_quotes off, I will need to escape entries made into the db. If I turn them off will it effect my ability to include database field values in a variable that is then passed in a url? I guess my concern is, will I have to go through my site and make a lot of changes like mysql_real_escape_string or will turning magic_quotes off and escaping all entries solve these type problem.
    Thanks so much for your input, drb10

  5. #5

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    magic_quotes_runtime is something different than magic_quotes_gpc.

  6. #6
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Eastland
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, drzoid.
    I'm trying to find the file or write code to turn them off. Did I mention I'm a newbie?

  7. #7
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Eastland
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    magic_quotes_gpc is On,
    magic_quotes_runtime is Off,
    magic_quotes_sybase is Off.
    Guess I'll have to contact my hosting/server company and ask them to turn them off.

  8. #8
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Eastland
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Figured it out and turned them off. Thanks again

  9. #9
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Eastland
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not sure I have enough experience to manage things with magic_quotes off. Looking at the code in my original post, can you tell me where to place "stripslashes" or whatever I need to solve the problem?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •