Page 1 of 1

mysql_real_escape_string issue

Posted: Mon Sep 06, 2010 3:21 pm
by gazzieh
I have the following code:

Code: Select all

$updateQuery = "UPDATE ".$settings['tbl_articles']." SET txtTitle = '"
				.mysql_real_escape_string($_POST['title'])."', txtArticle = '"
				.mysql_real_escape_string($_POST['thearticle'])."', dteEdited = NOW() WHERE ID = "
				.$_GET['id'];
I have a title: Testing Amy's Ideas

If I edit this entry and then use the code above I end up with: Testing Amy/'s Ideas

This issue does not appear to affect the article content itself (sent under $_POST['thearticle']) so I am slightly confused. I tried stripslashes() on the above but to no avail (mysql_real_escape_string(stripslashes($_POST['title']))).

Any ideas/suggestions?

Re: mysql_real_escape_string issue

Posted: Mon Sep 06, 2010 5:42 pm
by McInfo
Do you mean

Code: Select all

Testing Amy\'s Ideas
Where do you see that -- when you echo $updateQuery, in phpMyAdmin, ...?

Do you have Magic Quotes enabled? (You shouldn't, but you should write your programs to deal with it being enabled.)

Re: mysql_real_escape_string issue

Posted: Mon Sep 06, 2010 5:56 pm
by gazzieh
It appears when I requery the database using a select statement and display the results.

I can also see it when I use PHPMYADMIN to view the data directly.

I have no idea if I have magic_quotes enabled but have been told this is enabled by default so I can assume so. That was the reason for introducing stripslashes() but this did not resolve the issue.

Re: mysql_real_escape_string issue

Posted: Mon Sep 06, 2010 6:37 pm
by McInfo
Check if Magic Quotes is enabled with get_magic_quotes_gpc(). See the example in the manual.

Re: mysql_real_escape_string issue

Posted: Wed Sep 08, 2010 2:24 pm
by gazzieh
Sorry for the delay; work getting in the way again! :)

Yes, Magic Quotes are enabled.