Page 1 of 1

Escaping characters for database insertion - Odd escape issu

Posted: Mon Nov 02, 2009 11:37 pm
by paulstanely45
Hello All,

I just signed up on this forum! I was hoping I might be able to get a hand.

The problem I am having is I am using mysql_real_esacpe_string to escape a string, and it works, for example

Hey\

would be Hey\\

However, when I login to phpmyadmin, if I look at the record I just inserted, it'll be just Hey\ as opposed to Hey\\

The problem I was having was I was calling stripslashes to the returned data and obviously just getting 'Hey' as opposed to Hey\

What I would really like to know is what changed? I remember having to strip the slashes afterwards. Is MYSQL doing this automatically now? Is there something that I am missing here?

Im using PHP 5, and MYSQL 5.1

Any input or advice would be great! Thanks!

Re: Escaping characters for database insertion - Odd escape

Posted: Tue Nov 03, 2009 12:25 am
by McInfo
PHP Manual: Magic Quotes

Edit: This post was recovered from search engine cache.

Re: Escaping characters for database insertion - Odd escape issu

Posted: Tue Nov 03, 2009 9:39 am
by xtiano77
Just a suggestion, but have you considered using "htmlspecialchars()" & "htmlspecialchars_decode()"? Also, have you considered encrypting the data to be saved in the database with salt?

Re: Escaping characters for database insertion - Odd escape issu

Posted: Tue Nov 03, 2009 9:45 am
by paulstanely45
Very useful information.

What I am curious as to though is what is happening though? How come I don't see the slashes of the escaped material inside the columns?

That documentation is very nice, but I am still unclear on the issue. Can you please clarify?

Also, after running a test, magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase are all set to off.

Re: Escaping characters for database insertion - Odd escape

Posted: Tue Nov 03, 2009 1:36 pm
by McInfo
I guess I wasn't paying close enough attention to your original post.
paulstanely45 wrote:The problem I was having was I was calling stripslashes to the returned data and obviously just getting 'Hey' as opposed to Hey\
You escape strings going into the database, but not out of the database. You may be confusing escaping (replacing things like \ with \\ and ' with \') with HTML entity conversion (replacing things like & with & and < with <).

Magic Quotes was a way to automatically add backslashes to user-submitted strings so they could safely go straight from $_POST to query with or without the programmer being aware that the strings were being escaped.

Backslashes are a way to transport special characters without having them interfere with the syntax of the transport mechanism. For example, if a string that is bounded by quotes needs to contain a quote, the quote must be escaped with a backslash so the string will not be prematurely terminated. Even though the representation of the string contains a backslash, the actual string does not.

Similarly, although a query string might contain extra backslashes, those backslashes will not be stored in the database. Strings that are retrieved from the database will not contain extra backslashes.

The stripslashes() function was used to remove the Magic Quotes backslashes in strings that were to go from $_POST to HTML because those strings are presented as-is and should not be escaped.

Edit: This post was recovered from search engine cache.