Using mysql_real_escape_string() on messages, they say \'

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Using mysql_real_escape_string() on messages, they say \'

Post by Josh1billion »

In my game's private messaging system, I have an HTML form in which to enter a message, subject, and recipient (similar to phpBB). In the handler for it, I'm using mysql_real_escape_string() on the inputted data (including subject and message_text).

The problem is that whenever a user types a single quote ( ' ) in the message or text, it shows up with a backslash before it ( \' ).

Is there any way to fix that? What am I doing wrong here?

The handler code is basically like this (psuedo-code).. pretty simple:

Code: Select all

$subject = mysql_real_escape_string($_POST['subject']);
$message_text = mysql_real_escape_string($_POST['message_text']);
mysql_query("INSERT INTO blah blah blah"); // inserting that data as a new entry in the database table
edit:
I think I found the solution, but I want to make sure this is right. Should I use stripslashes() on the message and subject data right before it's printed to the screen? That will remove all backslashes ( \ ), apparently. But that also means that the users can't type backslashes into their messages (should they ever find the reason to..). Is this the best way to go about it despite that?

edit 2:
I implemented the solution as explained in edit 1.. and it works without flaw! Backslashes and regular slashes both display properly, as does all the rest of the text. :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

get_magic_quotes_gpc() and stripslashes() may be of interest.
Post Reply