x10Hosting Member
Hi im creating a comment page for my website using php. i've been using mysql_real_escape_string. i know this isnt enough to prevent mysql injection but is there a way i could go about doing this cause words like member's gets escaped with a backslash when i show the comment.
thanks.
*update
i've found the answer. using stripslash(). thanks.
Last edited by tillabong; 02-20-2010 at 03:37 AM. Reason: solved
Community Advocate
Alternatively, switch to PDO and use prepared statements. Prepared statement parameters aren't vulnerable to SQL injection; no need to escape or unescape quotes. Of course, you'll still need to handle HTML injection with (e.g.) htmlspecialchars or some sort of whitelist filter.
Be sure to read all pages linked in this post; they have further information that should prove useful. When asking for help, make sure you follow Eric Raymond's and Jon Skeet's guidelines for prompt, accurate responses. Please answer any questions I ask; they're not rhetorical (probably). Any posted code is intended as illustrative example, rather than a solution to your problem to be copied without alteration. Study it to learn how to write your own solution.Misson, not Mission.
x10 Elder
I think your problem lies elsewhere, with magic quotes (which is now to be deprecated). When this setting is enabled, any input automatically gets escaped, so each " ' \ and NUL characters get escaped with a backslash. Say you enter the string
With magic quotes on, you get this in your script:Code:ab'c
Then you use mysql_real_escape_string and you get:Code:ab\'c
Therefore, you should use stripslashes() on the string first, after which you can escape it again, mysql-style.Code:ab\\\'c
Last edited by marshian; 02-20-2010 at 07:06 AM.
Real programmers don't document their code - if it was hard to write, it should be hard to understand.
x10 Minion
Magic quotes are one of the more frustrating things in PHP. The best way to undo it is using this script:
It will check if magic quotes is turned on, then if it is it will undo magic quotes on all your $_GET, $_POST variables without you having to modify your code.PHP Code:if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
x10 Elder
Actually only until you find out what's wrong, but they're a major pain when you don't know they exist, but you just get strange results ):Originally Posted by lemon-tree
Good thing they're now about to be deprecated, I just hope they don't come up with any new great additions... register_globals and magic_quotes_gpc were just major failures...
I usually use this to undo magic quotes on a given variable, since it's usually not required for most values. (eg. an id can only ever be numeric, magic quotes can't interfere with that)
For a script where you only need to strip the slashes of a few variables this method takes less cpu time, but your method is easier, you just add it to your header and you can basically forget about it.Code:$var = get_magic_quotes_gpc() ? stripslashes($var) : $var;
Real programmers don't document their code - if it was hard to write, it should be hard to understand.
x10Hosting Member
Ok thank you so much for your replies. =)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote