Page 1 of 1

String oddity

Posted: Fri Apr 25, 2008 1:07 pm
by dhampson
I wrote a small php front end to a mysql database. Users write into <input type="text"..../> or <input type="textarea".../> It all gets stored into the data base, and can be recalled later in various formats.

When I first created it, there was a bug. If someone used an apostrophe (Bob's mail, e.g.) then the mysql_query() string would be malformed, and nothing would be updated. I fixed this with str_replace(), and escaped any apostrophe's.

This worked well for 3 years, until I upgraded the server to apache 2, php5 and mysql 5. It updates fine, but wherever I have an apostrophe and save, it keeps the "slash" when I recall it (Bob\'s mail e.g.) If I save again, I get 2 slashes (Bob\\'s mail )

I'm trying to figure out if I should rewrite the code and eliminate the str_replace, or modify apache's config file, the php.ini file, or something in MySQL.

Any advice or explanation would be very helpful.

--Dave

Re: String oddity

Posted: Fri Apr 25, 2008 1:08 pm
by onion2k
It's being escaped twice. I'd guess magic quotes are switched on on the new server.

Re: String oddity

Posted: Fri Apr 25, 2008 1:09 pm
by John Cartwright
Replace all your str_replace() gargan with mysql_real_escape_string(). This function should always be used on all input to prevent errors and SQL injection.

Re: String oddity

Posted: Fri Apr 25, 2008 1:25 pm
by dhampson
OK, I think I have enough to figure it out now!

I have a little reading to do, but at least now I know what to read. Thank for the help.

--Dave