Stripslashes

treeleaf20 · 07-07-2011, 11:09 PM

All,
I have a form that posts to my PHP page and then I have the following code to capture it:

PHP Code:


			
$last_name = mysql_real_escape_string($_POST['last_name']);

Say the last name is O'Connell it gets inserted into my database as O\'Connell.

How can I remove the slash but I know I need it for my SQL statement?

Thanks in advance.

jimhill · 07-07-2011, 11:16 PM

stripslashes(string)

treeleaf20 · 07-07-2011, 11:18 PM

However if I do that then my SQL query will fail, right?

Fou-Lu · 07-08-2011, 04:38 PM

No, stripslashes job is to remove any slashes added by magic_quotes. But you need to make sure you're only striping IF magic quotes is enabled, otherwise you pose a risk of removing slashes intended (such as when you posted the string here). You're seeing the slash either because it was inserted that way, so O'Connell has become O\\\'Connel, or you have magic_quotes_runtime enabled. You can only tell this if you check the data directly from a SQL tool, or by checking the ini setting. Fortunately that can be disabled at runtime. Both of these are now deprecated, too bad we need to account for them.

PHP Code:


			
if (function_exists('set_magic_quotes_runtime'))
{
    set_magic_quotes_runtime(0);
}
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
    $_POST['last_name'] = stripslashes($_POST['lastname']);
}

$last_name = mysql_real_escape_string($_POST['lastname']);

Fortunately, magic quotes will be gone soon. As of 5.4, register_globals are gone, so I'm happy enough with that. For now.

Edit:
Oh yeah, btw MySQLi can get around this using prepared statements instead.

treeleaf20 · 07-11-2011, 07:12 PM

Yeah, the function mysql_real_escape_string() was the one that created the escape character in front of the apostrophe but it inserts it into the database like that and I obviously want it to say O'Connell instead of O\'Connell.

Fou-Lu · 07-11-2011, 07:18 PM

Yes, you want to use the mysql_real_escape_string. You need to first execute the stripslashes in order to remove any additional ones.

treeleaf20 · 07-11-2011, 07:20 PM

I guess I would expect the mysql_real_escape_string function to escape the apostrophe but not actually insert the / into the database.

Fou-Lu · 07-11-2011, 08:21 PM

That is correct, it does not. It will however escape any escaped characters. So when you already have \', it will become \\\' so it enters \' into the database.