tags:

views:

130

answers:

3
Q: 

Function escaping quote is not working correctly [Solved]

Hi,

(Php & MySQL) I'm trying to figure out how come this function does not work correctly. It's add extra \ everytime I edit my entries.

Online server have these settings: magic_quotes_gpc On magic_quotes_runtime Off magic_quotes_sybase Off

function esc($s)
{
  if (get_magic_quotes_gpc()) {
    if (ini_get('magic_quotes_sybase'))
      $s = str_replace("''", "'", $s);
    else
      $s = stripslashes($s);
  } //if 
  return mysql_real_escape_string($s);
}

Edit note: I have completely removed this function to see what it does...and it does the same thing so I have realized that addslashes is also use in the code for the same thing.

The extra \ where there because magic_quote was ON

Thanks

+1  A: 

You probably want to stripslashes even if magic_quotes_sybase is on:

function esc($s)
{
    if (get_magic_quotes_gpc()) {
     if (ini_get('magic_quotes_sybase'))
      $s = str_replace("''", "'", $s);

     $s = stripslashes($s);
    } //if 
    return mysql_real_escape_string($s);
}

You might also want to take a look at PHP's get_magic_quotes_gpc function page, there are several user comments on the page with fairly elegant solutions for ensuring slashes are stripped.

evolve  2009-11-12 15:24:25
I have tryed your code without the else and I still get same issue.
lena  2009-11-12 16:23:48
The issue being that you get too many slashes? Are you sure extra slashes aren't be added prior to the string being sent to the function? Only one set of slashes would be removed by the stripslashes function.
evolve  2009-11-12 16:51:42
+2  A: 

Your function makes little sense. If magic quotes is on (eg. input is escaped), you unescape it. If it's not on, you escape it. So you'll get different results, depending on if you have magic quote on or not.

In any case, relying on magic quotes is a really bad practice. You should:

  1. Disable magic quotes or reverse its effect globally.
  2. Either escape strings when you construct SQL queries or (better) use prepared statements.
  3. Not unescape/strip/whatever anything when you get it back from the database.
troelskn  2009-11-12 15:47:30
is this possible to use escape string even if magic_quotes_gpc is On?
lena  2009-11-12 16:25:48
What do you mean by "use escape string"?
troelskn  2009-11-13 11:48:52
A: 

Ok I have fixed the problem

A quick solution for now I have removed function esc($s) I changed Magic_Quote to OFF in php.ini I'm keeping addslashes solution.

Thanks for all your suggestions I will consider it when I will have more time or start a new project.

Regards,

lena  2009-11-12 18:16:12

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL