Hello!
I've been working on an addition to my gaming site that allows members to register a "character's" name to be displayed in a profile page.
I am using mysql_real_escape_string($charname) to add slashes before inserting the name into the database. The problems comes when we display the name. A lot of the names have an ' in them; they are odd fictional names like J'Rikka for example. It obviously displays J/'Rikka.
I had thought of using stripslashes($charname) before displaying it, but that obviously brings the problem back. I tested inserting a script in the name, and sure enough it executed when displayed. I have since added strip_tags($charname) before saving it which fixes that; but I still have the slashes in there.
So if I use both mysql_real_escape_string($charname) and strip_tags($charname) before inserting into the database, am I safe using stripslashes($charname) to display the name?
Thanks!
--Fligg
Displaying text after using mysql_real_escape_string
Moderator: General Moderators
Re: Displaying text after using mysql_real_escape_string
It sounds like you have magic quotes turned on.
Turn it off!!!!!!!! It's bad.
Turn it off!!!!!!!! It's bad.
Re: Displaying text after using mysql_real_escape_string
So it isn't mysql_real_escape_string that is causing the slashes to show?
So what do you know, one of the magic_quotes settings was on. Turned it off and everything looks fine now!
Thanks a ton!
So what do you know, one of the magic_quotes settings was on. Turned it off and everything looks fine now!
Thanks a ton!
Re: Displaying text after using mysql_real_escape_string
Yeah, because the slashes were being added twice. The slashes shouldn't actually be inserted into the database.
Magic quotes runs addslashes() on all $_POST data...so yeah, slashes were being added twice - once by addslashes() and then by you with mysql_real_escape_string()
No problem.
Magic quotes runs addslashes() on all $_POST data...so yeah, slashes were being added twice - once by addslashes() and then by you with mysql_real_escape_string()
No problem.