Displaying text after using mysql_real_escape_string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Fliggerty
Forum Newbie
Posts: 4
Joined: Tue Aug 04, 2009 12:54 pm

Displaying text after using mysql_real_escape_string

Post by Fliggerty »

Hello!
I've been working on an addition to my gaming site that allows members to register a "character's" name to be displayed in a profile page.

I am using mysql_real_escape_string($charname) to add slashes before inserting the name into the database. The problems comes when we display the name. A lot of the names have an ' in them; they are odd fictional names like J'Rikka for example. It obviously displays J/'Rikka.

I had thought of using stripslashes($charname) before displaying it, but that obviously brings the problem back. I tested inserting a script in the name, and sure enough it executed when displayed. I have since added strip_tags($charname) before saving it which fixes that; but I still have the slashes in there.

So if I use both mysql_real_escape_string($charname) and strip_tags($charname) before inserting into the database, am I safe using stripslashes($charname) to display the name?

Thanks!

--Fligg
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Displaying text after using mysql_real_escape_string

Post by jackpf »

It sounds like you have magic quotes turned on.


Turn it off!!!!!!!! It's bad.
Fliggerty
Forum Newbie
Posts: 4
Joined: Tue Aug 04, 2009 12:54 pm

Re: Displaying text after using mysql_real_escape_string

Post by Fliggerty »

So it isn't mysql_real_escape_string that is causing the slashes to show?

So what do you know, one of the magic_quotes settings was on. Turned it off and everything looks fine now!

Thanks a ton!
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Displaying text after using mysql_real_escape_string

Post by jackpf »

Yeah, because the slashes were being added twice. The slashes shouldn't actually be inserted into the database.

Magic quotes runs addslashes() on all $_POST data...so yeah, slashes were being added twice - once by addslashes() and then by you with mysql_real_escape_string() :)

No problem.
Post Reply