Mysql_real_escape_string...is there an auto setting else where?

Question

Hey ya all

Got an odd situation here. On my local mysql database (v5.1.41), I am required to use this escape command if I am to handle users' quotation syntaxs without any problems. However I cannot use this command on my web server's mysql database (v5.0.91-community). If this command is used on the web server (apache v2.2.13), an extra slash syntax is added to the user's quotation syntax, thus if I remove the mysql_real_escape_string command, inputs with quotation marks will have no problems being inserted into the database.

So I was wondering, apart from php, is there a setting within apache (v2.2.13) or within mysql itself that can automatically deal with quotation syntax such as PHP's mysql_real_escape_string command?

Thank you in advance

Answer 1

This is probably due to Magic Quotes. Disable or remove them, they are a well-meant but also annoying feature.

Answer 2

It means the php setting magic_quotes_gpc is enabled on the server. It's deprecated, and there's a way to work around it - by removing the slashes at the beginning of your code:

<?php
if (get_magic_quotes_gpc()) {
    function magicQuotes_awStripslashes(&$value, $key) {$value = stripslashes($value);}
    $gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    array_walk_recursive($gpc, 'magicQuotes_awStripslashes');
}

Answer 3

I'd recommand you to use filter_input to get your user data as it does not care about magic_quotes, and parameterized queries to do your database job (see mysqli or PDO).