Hello,
I had my website on another server which had register_globals on so I did not have problems when users inputted some information. Now at the other server register_globals is Off and when user for example try to input into database the string (testing is just a test's) it automatically becomes (testing is just a test\'s) I have seen that to use stripslashes() but it is so paint full to add it at so much strings. I do not want to make register_globals ON cause I heard that it is a risk. It is any other way to do that?
Problem with backslashes on strings
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Problem with backslashes on strings
What kind of database? You should call the database's escape function (e.g., $value = mysql_real_escape_string($value) ). The data will then be escaped correctly and safely. I would also recommend using PDO and prepared statements to makes sure things are escaped correctly.
PS - you definitely want register_globals OFF.
PS - you definitely want register_globals OFF.
(#10850)
Re: Problem with backslashes on strings
Opppsss I forgot to mention that I use MySQL. I have tried to use mysql_real_escape_string() but I still got backslashes at each quote.
p.s. Is it necessary to use mysql_real_escape_string() when inserting data's or just when getting data's from database?
Best regards.
p.s. Is it necessary to use mysql_real_escape_string() when inserting data's or just when getting data's from database?
Best regards.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Problem with backslashes on strings
You use it on any variable that is put in quotes in a SQL statement. It does not matter whether it is a SELECT, UPDATE or INSERT or whether it is a value being inserted or set, or a condition in a WHERE statement. If it is in quotes in the SQL then it needs to be escaped. When you get the data back, if it was quoted correctly, it should be the original string.MicroBoy wrote:p.s. Is it necessary to use mysql_real_escape_string() when inserting data's or just when getting data's from database?
(#10850)
Re: Problem with backslashes on strings
Just for clarification the setting of register globals will not make a difference on the backslashes being added automatically. The setting affecting that would be magic quotes Register Globals makes it so elements of variables such as $_POST and $_GET are automatically created as their own variables.
See the links for each for more explanation.
-Greg
See the links for each for more explanation.
-Greg
Re: Problem with backslashes on strings
Thanks for the answers. Is it ok if I change magic_quotes_gpc to ON? Is this dangerous?
Re: Problem with backslashes on strings
I wouldn't recommend it unless it is just a temporary fix while you are building a new site, or at least getting a copy of the site adjusted to be programmed properly.
As mentioned in the link, this option is depreciated (meaning it will not be included in future version of PHP), so it is not good to just depend on this. Also, if you have other sites on the same enviroment you are turning this on for, keep in mind, they will most likely start getting a bunch of backslashes in data collected, as they would (er should) of been coded to add slashes properly, so the server is adding a slash, then the code is adding a slash. Consider this data submitted that will go into a database:
Entered by user: This isn't a good example
Magic Quotes gives it to your script as: This isn\'t a good example
Now after where it was properly coded to add the slashes: This isn\\\'t a good example
Saved into database: This isn\'t a good example
-Greg
As mentioned in the link, this option is depreciated (meaning it will not be included in future version of PHP), so it is not good to just depend on this. Also, if you have other sites on the same enviroment you are turning this on for, keep in mind, they will most likely start getting a bunch of backslashes in data collected, as they would (er should) of been coded to add slashes properly, so the server is adding a slash, then the code is adding a slash. Consider this data submitted that will go into a database:
Entered by user: This isn't a good example
Magic Quotes gives it to your script as: This isn\'t a good example
Now after where it was properly coded to add the slashes: This isn\\\'t a good example
Saved into database: This isn\'t a good example
-Greg
Re: Problem with backslashes on strings
Thanks a lot for your detailed answers. The problem is solved.
Best regards.
Best regards.