Page 1 of 1

Problem with backslashes on strings

Posted: Sat Feb 04, 2012 6:37 am
by MicroBoy
Hello,

I had my website on another server which had register_globals on so I did not have problems when users inputted some information. Now at the other server register_globals is Off and when user for example try to input into database the string (testing is just a test's) it automatically becomes (testing is just a test\'s) I have seen that to use stripslashes() but it is so paint full to add it at so much strings. I do not want to make register_globals ON cause I heard that it is a risk. It is any other way to do that?

Re: Problem with backslashes on strings

Posted: Sat Feb 04, 2012 12:28 pm
by Christopher
What kind of database? You should call the database's escape function (e.g., $value = mysql_real_escape_string($value) ). The data will then be escaped correctly and safely. I would also recommend using PDO and prepared statements to makes sure things are escaped correctly.

PS - you definitely want register_globals OFF.

Re: Problem with backslashes on strings

Posted: Sun Feb 05, 2012 12:23 pm
by MicroBoy
Opppsss I forgot to mention that I use MySQL. I have tried to use mysql_real_escape_string() but I still got backslashes at each quote.

p.s. Is it necessary to use mysql_real_escape_string() when inserting data's or just when getting data's from database?

Best regards.

Re: Problem with backslashes on strings

Posted: Mon Feb 06, 2012 1:45 am
by Christopher
MicroBoy wrote:p.s. Is it necessary to use mysql_real_escape_string() when inserting data's or just when getting data's from database?
You use it on any variable that is put in quotes in a SQL statement. It does not matter whether it is a SELECT, UPDATE or INSERT or whether it is a value being inserted or set, or a condition in a WHERE statement. If it is in quotes in the SQL then it needs to be escaped. When you get the data back, if it was quoted correctly, it should be the original string.

Re: Problem with backslashes on strings

Posted: Mon Feb 06, 2012 4:05 am
by twinedev
Just for clarification the setting of register globals will not make a difference on the backslashes being added automatically. The setting affecting that would be magic quotes Register Globals makes it so elements of variables such as $_POST and $_GET are automatically created as their own variables.

See the links for each for more explanation.

-Greg

Re: Problem with backslashes on strings

Posted: Mon Feb 06, 2012 6:06 am
by MicroBoy
Thanks for the answers. Is it ok if I change magic_quotes_gpc to ON? Is this dangerous?

Re: Problem with backslashes on strings

Posted: Tue Feb 07, 2012 11:58 pm
by twinedev
I wouldn't recommend it unless it is just a temporary fix while you are building a new site, or at least getting a copy of the site adjusted to be programmed properly.

As mentioned in the link, this option is depreciated (meaning it will not be included in future version of PHP), so it is not good to just depend on this. Also, if you have other sites on the same enviroment you are turning this on for, keep in mind, they will most likely start getting a bunch of backslashes in data collected, as they would (er should) of been coded to add slashes properly, so the server is adding a slash, then the code is adding a slash. Consider this data submitted that will go into a database:

Entered by user: This isn't a good example
Magic Quotes gives it to your script as: This isn\'t a good example
Now after where it was properly coded to add the slashes: This isn\\\'t a good example

Saved into database: This isn\'t a good example

-Greg

Re: Problem with backslashes on strings

Posted: Wed Feb 08, 2012 7:18 am
by MicroBoy
Thanks a lot for your detailed answers. The problem is solved.

Best regards.