Page 1 of 1

Escaping, and what I'm doing wrong?

Posted: Sun Feb 24, 2008 12:46 am
by $var
hi,
i'm having some trouble with escaping/displaying a string entered via input/text fields.
in the past, i have done what i think is the same thing, but... i am getting improper characters in my output.

here is what is happening going in:

Code: Select all

$q2 = "UPDATE tms_profile SET
      profile_blurb = '".mysql_real_escape_string($_POST["profile_blurb"])."',
      profile_title = '".mysql_real_escape_string($_POST["profile_title"])."'
      WHERE profile_memid=".$memID;
      $result = mysql_query($q2) or die (mysql_error());
from this:

Code: Select all

<label for="profile_blurb">bio: </label>
<textarea name="profile_blurb" class="" cols="60" rows="7"></textarea>
output calls this:

Code: Select all

<?php echo nl2br($profile_blurb); ?>
but shows the follow characters:
\" instead of "
\' instead of '
\r\n instead of a linebreak

any insight would be great

Re: Escaping, and what I'm doing wrong?

Posted: Sun Feb 24, 2008 2:06 am
by jmut
Do you consider magic quotes ?

Re: Escaping, and what I'm doing wrong?

Posted: Tue Feb 26, 2008 9:59 pm
by $var
I have never heard about Magic Quotes.
However, the php.net description warns against using this as it is "DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged."

Is the method that I am using wrong on sight? Or is it a configuration issue?

Re: Escaping, and what I'm doing wrong?

Posted: Wed Feb 27, 2008 3:34 am
by jmut
that is true, but that doesn't mean they are disabled on your server. So in order for your code to be portable (regardless of magic quotes on/off) you should use

Code: Select all

get_magic_quotes_gpc
and

Code: Select all

stripslashes()
to handle things properly.