Addslashes and InnoDB

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sirstrumalot
Forum Commoner
Posts: 27
Joined: Mon May 18, 2009 10:26 pm

Addslashes and InnoDB

Post by sirstrumalot »

Hey, so I've got an existing, open-source system i've downloaded and significantly modified. It's all working well, but due to the fact I had to link forms together, I had to create relationships and chose early on in the project to switch from myISAM to InnoDB. I set up foreign keys and indexes and all works peachy.

Now, weeks later and many lines of code in, any text field or form where I put an apostrophe, it shows a backslash before the apostrophe. Now, I know you need escape characters to insert data into the database and I have my code listed below that shoes it's doing just that. this is the original, unmodified code that's performing the work, so i'm at a loss why all of a sudden, the entire site is showing slashes in the mysql fields and in the forms. the only consistent, site-wide thing I can think is the transition from myISAM to InnoDB and how one may require different functions, but I wasn't aware of that. The code:

Code: Select all

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
 
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
 
  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

From there, I have two sections for MySQL: Insert and Update. Then a form called 'form1':

Code: Select all

/
if ($update==1) {
mysql_select_db($database_contacts, $contacts);
$query_contact = "SELECT * FROM contacts WHERE contact_id = ".$_GET['id']."";
$contact = mysql_query($query_contact, $contacts) or die(mysql_error());
$row_contact = mysql_fetch_assoc($contact);
$totalRows_contact = mysql_num_rows($contact);
}
 
if ($update==0) {
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  mysql_query("INSERT INTO contacts (contact_first, contact_middle, contact_last, contact_dob, contact_addr1, contact_addr2, contact_gender, contact_treatClin, contact_provider, contact_providerNum, contact_physician, contact_profile, contact_city, contact_state, contact_zip, contact_phone, contact_updated) VALUES 
 
    (
    '".trim(addslashes($_POST['contact_first']))."',
    '".trim(addslashes($_POST['contact_middle']))."',
    '".trim(addslashes($_POST['contact_last']))."',
    '".trim(addslashes($_POST['contact_dob']))."',
    '".trim(addslashes($_POST['contact_addr1']))."',
    '".trim(addslashes($_POST['contact_addr2']))."',
    '".trim(addslashes($_POST['contact_gender']))."',
    '".trim(addslashes($_POST['contact_treatClin']))."',
    '".trim(addslashes($_POST['contact_provider']))."',
    '".trim(addslashes($_POST['contact_providerNum']))."',
    '".trim(addslashes($_POST['contact_physician']))."',
    '".trim(addslashes($_POST['contact_profile']))."',
    '".trim(addslashes($_POST['contact_city']))."',
    '".trim(addslashes($_POST['contact_state']))."',
    '".trim(addslashes($_POST['contact_zip']))."',
    '".trim(addslashes($_POST['contact_phone']))."',
    '".time()."'
    )
    ");
 
    set_msg('Patient Added');
    $cid = mysql_insert_id();
    $redirect = "contact-details.php?id=$cid";
    header('Location: '.$redirect); die;
}
}
 
if ($update==1) {
if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  $updateSQL = sprintf("UPDATE contacts SET contact_first=%s, contact_middle=%s, contact_last=%s, contact_dob=%s, contact_addr1=%s, contact_addr2=%s, contact_gender=%s, contact_treatClin=%s, contact_provider=%s, contact_providerNum=%s, contact_physician=%s, contact_profile=%s, contact_city=%s, contact_state=%s, contact_zip=%s, contact_phone=%s, contact_updated=%s WHERE contact_id=%s",
                       GetSQLValueString(trim(addslashes($_POST['contact_first'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_middle'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_last'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_dob'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_addr1'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_addr2'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_gender'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_treatClin'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_provider'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_providerNum'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_physician'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_profile'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_city'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_state'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_zip'])), "text"),
                       GetSQLValueString(trim(addslashes($_POST['contact_phone'])), "text"),               
                       GetSQLValueString(trim($_POST['contact_updated']), "int"),
                       GetSQLValueString(trim($_POST['contact_id']), "int"));
 
  mysql_select_db($database_contacts, $contacts);
  $Result1 = mysql_query($updateSQL, $contacts) or die(mysql_error());
 
    set_msg('Patient Updated');
    $cid = $_GET['id'];
    $redirect = "contact-details.php?id=$cid";
    header('Location: '.$redirect); die;
}
}
I'm stuck. Any ideas why this is adding slashes and showing them in the forms when the proper code is in use?
Also, would this have anything to do with the depreciation of the get_magic_quotes_gpc() function in PHP 5.3? If so, what do I substitute?
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Addslashes and InnoDB

Post by Darhazer »

First of all, you are using GetSQLValueString in update, but not in the insert
Second, there is no need to addslashes, when you are using mysql_escape_string
And finally, if you add slashesh to escaped string, then you need to stripslashes when displaying
Post Reply