SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Shaw AFB
    Posts
    282
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Issue with Slashes

    I'm trying to put in some data into a database, and then use AJAX to make that data appear on the same page that the submission form is on.

    If I submit something with no filtering/fixing of any sort, my console gets this returned to it:

    foo\\\\\'bar (5 slashes)

    However, my page displays this:
    foo\\\'bar (3 slashes)

    Yay for Magic Quotes?....mk lets fix that.

    In my PHP script that process the data, I have a whole mess of things going on trying to fix it...

    PHP Code:
    $groupname mysql_real_escape_string($_POST['groupname']);
    $groupname htmlspecialchars($groupname);
    $groupname get_magic_quotes_gpc() ? stripslashes($groupname) : $groupname
    Now the console displays this as returned data:
    foo\\'bar (2 slashes)
    and my page displays this:
    foo\'bar (1 slash)

    But, as soon as I refresh my page - I get foo'bar (no slashes), and it's inserted into the database properly.
    ~ Nate L ~

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    stripslashes is the first thing you should do.
    mysql_real_escape_string is to be used only to prepare a string for a database query. the result must not be modified or you ruin the escaping. its not suitable for output to html, so keep a separate copy.

    its common to only use htmlspecialchars when you output to html, and to just store it in the database unescaped.

  3. #3
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Shaw AFB
    Posts
    282
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alrighty...this seems to have done the trick!

    PHP Code:
    $groupname $_POST['groupname'];
    $groupname get_magic_quotes_gpc() ? stripslashes($groupname) : $groupname;

    $query "INSERT INTO groups (groupname, userID) VALUES ('".mysql_real_escape_string($groupname)."', '$userID')";
    mysql_query($query) or die('Error, insert query failed'); 
    It returns to my page with the form and inserts into the databse without any slashes...perfecto
    ~ Nate L ~


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •