Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8

Thread: Stripslashes

  1. #1
    Regular Coder
    Join Date
    Oct 2009
    Posts
    438
    Thanks
    9
    Thanked 7 Times in 7 Posts

    Stripslashes

    All,
    I have a form that posts to my PHP page and then I have the following code to capture it:

    PHP Code:
    $last_name mysql_real_escape_string($_POST['last_name']); 
    Say the last name is O'Connell it gets inserted into my database as O\'Connell.

    How can I remove the slash but I know I need it for my SQL statement?

    Thanks in advance.

  • #2
    Regular Coder
    Join Date
    Jul 2010
    Posts
    271
    Thanks
    3
    Thanked 40 Times in 40 Posts
    stripslashes(string)
    If you can't stand behind your troops, feel free to stand in front of them
    Semper Fidelis

  • #3
    Regular Coder
    Join Date
    Oct 2009
    Posts
    438
    Thanks
    9
    Thanked 7 Times in 7 Posts
    However if I do that then my SQL query will fail, right?

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    No, stripslashes job is to remove any slashes added by magic_quotes. But you need to make sure you're only striping IF magic quotes is enabled, otherwise you pose a risk of removing slashes intended (such as when you posted the string here). You're seeing the slash either because it was inserted that way, so O'Connell has become O\\\'Connel, or you have magic_quotes_runtime enabled. You can only tell this if you check the data directly from a SQL tool, or by checking the ini setting. Fortunately that can be disabled at runtime. Both of these are now deprecated, too bad we need to account for them.
    PHP Code:
    if (function_exists('set_magic_quotes_runtime'))
    {
        
    set_magic_quotes_runtime(0);
    }
    if (
    function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
    {
        
    $_POST['last_name'] = stripslashes($_POST['lastname']);
    }

    $last_name mysql_real_escape_string($_POST['lastname']); 
    Fortunately, magic quotes will be gone soon. As of 5.4, register_globals are gone, so I'm happy enough with that. For now.

    Edit:
    Oh yeah, btw MySQLi can get around this using prepared statements instead.

  • #5
    Regular Coder
    Join Date
    Oct 2009
    Posts
    438
    Thanks
    9
    Thanked 7 Times in 7 Posts
    Yeah, the function mysql_real_escape_string() was the one that created the escape character in front of the apostrophe but it inserts it into the database like that and I obviously want it to say O'Connell instead of O\'Connell.

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Yes, you want to use the mysql_real_escape_string. You need to first execute the stripslashes in order to remove any additional ones.

  • #7
    Regular Coder
    Join Date
    Oct 2009
    Posts
    438
    Thanks
    9
    Thanked 7 Times in 7 Posts
    I guess I would expect the mysql_real_escape_string function to escape the apostrophe but not actually insert the / into the database.

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    That is correct, it does not. It will however escape any escaped characters. So when you already have \', it will become \\\' so it enters \' into the database.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •