Problem with backslashes on strings

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
MicroBoy
Forum Contributor
Posts: 112
Joined: Sat Mar 14, 2009 5:16 pm

Problem with backslashes on strings

Post by MicroBoy »

Hello,

I had my website on another server which had register_globals on so I did not have problems when users inputted some information. Now at the other server register_globals is Off and when user for example try to input into database the string (testing is just a test's) it automatically becomes (testing is just a test\'s) I have seen that to use stripslashes() but it is so paint full to add it at so much strings. I do not want to make register_globals ON cause I heard that it is a risk. It is any other way to do that?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Problem with backslashes on strings

Post by Christopher »

What kind of database? You should call the database's escape function (e.g., $value = mysql_real_escape_string($value) ). The data will then be escaped correctly and safely. I would also recommend using PDO and prepared statements to makes sure things are escaped correctly.

PS - you definitely want register_globals OFF.
(#10850)
MicroBoy
Forum Contributor
Posts: 112
Joined: Sat Mar 14, 2009 5:16 pm

Re: Problem with backslashes on strings

Post by MicroBoy »

Opppsss I forgot to mention that I use MySQL. I have tried to use mysql_real_escape_string() but I still got backslashes at each quote.

p.s. Is it necessary to use mysql_real_escape_string() when inserting data's or just when getting data's from database?

Best regards.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Problem with backslashes on strings

Post by Christopher »

MicroBoy wrote:p.s. Is it necessary to use mysql_real_escape_string() when inserting data's or just when getting data's from database?
You use it on any variable that is put in quotes in a SQL statement. It does not matter whether it is a SELECT, UPDATE or INSERT or whether it is a value being inserted or set, or a condition in a WHERE statement. If it is in quotes in the SQL then it needs to be escaped. When you get the data back, if it was quoted correctly, it should be the original string.
(#10850)
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Problem with backslashes on strings

Post by twinedev »

Just for clarification the setting of register globals will not make a difference on the backslashes being added automatically. The setting affecting that would be magic quotes Register Globals makes it so elements of variables such as $_POST and $_GET are automatically created as their own variables.

See the links for each for more explanation.

-Greg
MicroBoy
Forum Contributor
Posts: 112
Joined: Sat Mar 14, 2009 5:16 pm

Re: Problem with backslashes on strings

Post by MicroBoy »

Thanks for the answers. Is it ok if I change magic_quotes_gpc to ON? Is this dangerous?
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Problem with backslashes on strings

Post by twinedev »

I wouldn't recommend it unless it is just a temporary fix while you are building a new site, or at least getting a copy of the site adjusted to be programmed properly.

As mentioned in the link, this option is depreciated (meaning it will not be included in future version of PHP), so it is not good to just depend on this. Also, if you have other sites on the same enviroment you are turning this on for, keep in mind, they will most likely start getting a bunch of backslashes in data collected, as they would (er should) of been coded to add slashes properly, so the server is adding a slash, then the code is adding a slash. Consider this data submitted that will go into a database:

Entered by user: This isn't a good example
Magic Quotes gives it to your script as: This isn\'t a good example
Now after where it was properly coded to add the slashes: This isn\\\'t a good example

Saved into database: This isn\'t a good example

-Greg
MicroBoy
Forum Contributor
Posts: 112
Joined: Sat Mar 14, 2009 5:16 pm

Re: Problem with backslashes on strings

Post by MicroBoy »

Thanks a lot for your detailed answers. The problem is solved.

Best regards.
Post Reply