Removing backslashes

Now this I know is a newb question… and i have read and read about it… but now Im wondering if i ever comprehended in the first place…

ok, I get this part: if i use “magic quotes” then it will insert a backslash in front of characters such as an apostrophe… And this is so that it can not cause damage to the sql table.

but the part i dont get is that what about when you have to display it back on the web? It will have the backslash… (like: Won\'t).

and if i use stripslashes to remove the backslashes, then it will look right, BUT wouldnt that allow the ‘bad code’ to do its damage since now you take the backslash off? assuming someone inserted bad code.

so, im confused… and i know this is so basic, and it is embarrassing that i dont get it yet.

or am i just totally wrong about the whole thing?

Please read the manual at:
http://www.php.net/mysql_real_escape_string
for more details what is this function for ?

AFAIK, if you use mysql_real_escape_string then it will not be problem at all.

but if it inserts as is, then wouldnt that allow the bad code to be inserted?

maybe im just completely mixed up. i had thought i understood it a few weeks ago.

thanks. but i thought that did the same thing, just better at it?

  • I wrote my hosting company, they explained how i can turn magic quotes off by editinng the htaccess & creating a phpini file.
    i’ll giv it a try, i can just imagine how many new problems i get when i attempt that. lol

Please try once when you insert/update column texts/values with that function it will not insert \’ (won\'t) but it will insert as it is (won’t) in the database as i just checked it now.


$comment = "This won't be problem at all with mysql real escape string";
$sql = "INSERT INTO comments SET parent_id=0,`comment`='" . mysql_real_escape_string($comment) . "',date_added='2010-02-13 08:40:00',`status`=1";
mysql_query($sql) or die(mysql_error());

Really? Can you post your code please?

and that is the goal right? to insert into the database EXACTLY what was entered?

The goal is to avoid using user input in your queries that might be used for a SQL injection. As you noticed, magic quotes messes up the data, mysql_real_escape_string doesn’t.

soooo, does this mean that i also have to use mysql_real_escape_string when im displaying data from a sql database? just in case there is bad code inserted (so that it will echo the backslashes)?. if so, that means a customer would always see backslashes on words like won’t, didn’t, etc?

No, you use mysql_real_escape_string only on strings that come from user input when you want to use it in a query. Any query. Also just a select. By strings I mean values that in your query you’ll put between quotes (').
If you want to prevent users from inputting data that might mess up your site, or inject malicious scripts, then you’ll have to sanitize your input with other functions, like for example htmlspecialchars

Really? Can you post your code please?

I found this code online and was using it to test the differences:


<?
function SqlClean($my_var) 
{ if (get_magic_quotes_gpc())
{ if (is_array($my_var)) { foreach ($my_var as $key) { stripslashes($key); } 
} else { stripslashes($my_var); } 
} 
if (is_array($my_var)) { foreach ($my_var as $key) { $key = mysql_real_escape_string($key); 
return $key; } 
} else { $my_var = mysql_real_escape_string($my_var);} 
return $my_var; } 
// --------------------------------

$a=" 'aaaa' bbbbb; \
  'hhh "; 
$a=SqlClean($a); 
echo" test: $a"; 
?> 

that would return: test: \‘aaaa\’ bbbbb;
\'hhh

The goal is to avoid using user input in your queries that might be used for a SQL injection. As you noticed, magic quotes messes up the data, mysql_real_escape_string doesn’t.

Thanks. I did notice that in the database, real escape did not insert backslashes whereas magic quotes did.

Thanks for that entire post actually, It is making sense. there seems to be alot of sanitizing etc that needs to be done in order to be safe. Im going to check out the “htmlspecialchars” that u mentioned. is it normal to just create one function that incorporates everything? sql prevention & the html filtering?

thanks. Ive read that in past and even just re-read it. I think i might finally get it… i hope…
i just set up phpini to turn off magic quotes. so that i can use mysql_real_escape_string.
if i set a variable to use apostraphes, and then i echo it, it shows the backslashes, yet when i put it in the database, it doesnt insert the backslashes (magic quotes was putting backlslashes in database). and that is the goal right? to insert into the database EXACTLY what was entered?

soooo, does this mean that i also have to use mysql_real_escape_string when im displaying data from a sql database? just in case there is bad code inserted (so that it will echo the backslashes)?. if so, that means a customer would always see backslashes on words like won’t, didn’t, etc?