Page 1 of 1

Displaying text after using mysql_real_escape_string

Posted: Tue Aug 04, 2009 1:38 pm
by Fliggerty
Hello!
I've been working on an addition to my gaming site that allows members to register a "character's" name to be displayed in a profile page.

I am using mysql_real_escape_string($charname) to add slashes before inserting the name into the database. The problems comes when we display the name. A lot of the names have an ' in them; they are odd fictional names like J'Rikka for example. It obviously displays J/'Rikka.

I had thought of using stripslashes($charname) before displaying it, but that obviously brings the problem back. I tested inserting a script in the name, and sure enough it executed when displayed. I have since added strip_tags($charname) before saving it which fixes that; but I still have the slashes in there.

So if I use both mysql_real_escape_string($charname) and strip_tags($charname) before inserting into the database, am I safe using stripslashes($charname) to display the name?

Thanks!

--Fligg

Re: Displaying text after using mysql_real_escape_string

Posted: Tue Aug 04, 2009 1:43 pm
by jackpf
It sounds like you have magic quotes turned on.


Turn it off!!!!!!!! It's bad.

Re: Displaying text after using mysql_real_escape_string

Posted: Tue Aug 04, 2009 2:56 pm
by Fliggerty
So it isn't mysql_real_escape_string that is causing the slashes to show?

So what do you know, one of the magic_quotes settings was on. Turned it off and everything looks fine now!

Thanks a ton!

Re: Displaying text after using mysql_real_escape_string

Posted: Thu Aug 06, 2009 7:45 am
by jackpf
Yeah, because the slashes were being added twice. The slashes shouldn't actually be inserted into the database.

Magic quotes runs addslashes() on all $_POST data...so yeah, slashes were being added twice - once by addslashes() and then by you with mysql_real_escape_string() :)

No problem.