Escaping, and what I'm doing wrong?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Escaping, and what I'm doing wrong?

Post by $var »

hi,
i'm having some trouble with escaping/displaying a string entered via input/text fields.
in the past, i have done what i think is the same thing, but... i am getting improper characters in my output.

here is what is happening going in:

Code: Select all

$q2 = "UPDATE tms_profile SET
      profile_blurb = '".mysql_real_escape_string($_POST["profile_blurb"])."',
      profile_title = '".mysql_real_escape_string($_POST["profile_title"])."'
      WHERE profile_memid=".$memID;
      $result = mysql_query($q2) or die (mysql_error());
from this:

Code: Select all

<label for="profile_blurb">bio: </label>
<textarea name="profile_blurb" class="" cols="60" rows="7"></textarea>
output calls this:

Code: Select all

<?php echo nl2br($profile_blurb); ?>
but shows the follow characters:
\" instead of "
\' instead of '
\r\n instead of a linebreak

any insight would be great
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: Escaping, and what I'm doing wrong?

Post by jmut »

Do you consider magic quotes ?
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Re: Escaping, and what I'm doing wrong?

Post by $var »

I have never heard about Magic Quotes.
However, the php.net description warns against using this as it is "DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged."

Is the method that I am using wrong on sight? Or is it a configuration issue?
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: Escaping, and what I'm doing wrong?

Post by jmut »

that is true, but that doesn't mean they are disabled on your server. So in order for your code to be portable (regardless of magic quotes on/off) you should use

Code: Select all

get_magic_quotes_gpc
and

Code: Select all

stripslashes()
to handle things properly.
Post Reply