Page 1 of 1

handling escape sequence

Posted: Mon Aug 27, 2007 1:30 am
by vinoth
hi all

I am try to insert the value like "test's"..

I Pass the value through test box;
If we retrive the value using $_REQUEST['text'];
then I insert to database in database it insert as test/'s.

Is there any way to handle this..

Posted: Mon Aug 27, 2007 11:02 am
by Zoxive
You have magic_quotes on

stripslashes might be what you want when echoing the data back out.

Posted: Tue Aug 28, 2007 4:27 am
by vinoth
if we use strip slashes means the value was not insert in to an table
because while inserting it idenfies another single quote

handling escape sequence

Posted: Tue Aug 28, 2007 4:54 am
by Mou
What you have to do is while inserting data add 'addslashes' and while fetching the data from the table use 'stripslashes', like this way:

Code: Select all

$var="test's";
$testdata=addslashes($var);

/////while fetching write ///
stripslashes($row['testdata']);

Posted: Tue Aug 28, 2007 5:03 am
by vinoth
what is the purpose of addslashes
for that reason while displaying to user end itself we use strip slashes
in other database related queries we use the same value itself
it was working fine now

Posted: Tue Aug 28, 2007 9:20 am
by Zoxive
Like i said, you have magic_quotes on, so it auto adds slashes, and when outputting data you just need to strip slashes, like i said...
Zoxive wrote:stripslashes might be what you want when echoing the data back out.

Posted: Tue Aug 28, 2007 12:01 pm
by John Cartwright
get_magic_quotes() was a terrible mistake and we now have to deal with some server configurations to fix this mistake.

Code: Select all

function escape($input) 
{
   if (get_magic_quotes_gpc()) {
      $input = stripslashes($input);
   }

   return mysql_real_escape_string($input);
}
Using this, we can eliminate the effects of magic quotes with the added benefit of using mysql_real_escape_string().. which I might add should be used on all incomming strings, the same as numerical should use intval() or typecasting.

Posted: Tue Aug 28, 2007 4:31 pm
by superdezign
Jcart wrote:get_magic_quotes() was a terrible mistake and we now have to deal with some server configurations to fix this mistake.

Code: Select all

function escape($input) 
{
   if (get_magic_quotes_gpc()) {
      $input = stripslashes($input);
   }

   return mysql_real_escape_string($input);
}
Using this, we can eliminate the effects of magic quotes with the added benefit of using mysql_real_escape_string().. which I might add should be used on all incomming strings, the same as numerical should use intval() or typecasting.
This should only be used on request data, as magic_quotes only operates on request data. Otherwise, you could possibly remove slashes that you intended to keep.