I have used it. It adds the forward slashes but echoes them along with the comments. Maybe what I asked isn't exactly what I meant. I want to echo the comments as normal text. I don't want the backslashes echoed as well.
__________________ Coding is a challenge, get used to it Always remember to debug Try the guess & check method Break it down into simple steps
Issue resolved. Lol, I randomly remembered stripslashes(). Never used it before now but once I thought about my "problem", the name stripslashes just kinda made sense.
__________________ Coding is a challenge, get used to it Always remember to debug Try the guess & check method Break it down into simple steps
No no, something else is wrong. You shouldn't have to stripslashes.
I would presume you have magic_quotes_gpc enabled. This directive escapes the quotes for you, but it isn't sufficient for database insertions, nor do either magic_quotes or real_escape_string familiar with each other. You need to use stripslashes BEFORE you insert:
For example. This only needs to be done on data provided through gpc, so anything from a user.
Edit:
Aaahhh sorry I jumped to conclusions which I can't substantiate. I assumed you are executing stripslashes upon drawing the data from your query. As you can see I executed stripslashes before the insertion (which is what you should do). You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention. Stripslash before insertion, not during selection.
No no, something else is wrong. You shouldn't have to stripslashes.
I would presume you have magic_quotes_gpc enabled. This directive escapes the quotes for you, but it isn't sufficient for database insertions, nor do either magic_quotes or real_escape_string familiar with each other. You need to use stripslashes BEFORE you insert:
For example. This only needs to be done on data provided through gpc, so anything from a user.
Edit:
Aaahhh sorry I jumped to conclusions which I can't substantiate. I assumed you are executing stripslashes upon drawing the data from your query. As you can see I executed stripslashes before the insertion (which is what you should do). You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention. Stripslash before insertion, not during selection.
so, stripslashes() is meant to strip slashes before a data insertion, not after if I understand you correct.
If this is correct (and I don't doubt you are), then why does it say,"This function can be used to clean up data retrieved from a database or from an HTML form" on w3schools.com?
Quote:
You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention.
This is for a comment box. Users will not be posting anything that has to do with links (and by links I assume \\computer\path could be used as one, if not then not sure of a word for this), including myself as I assume it could be a security flaw
__________________ Coding is a challenge, get used to it Always remember to debug Try the guess & check method Break it down into simple steps
Stripslashes was designed for just this. It doesn't matter whether its used before or after when it comes to function usage.
W3schools hasn't a clue what they are doing if they suggest you stripslash retrieved data. They are not thinking ahead to the obvious issue with code that no longer has magic_quotes_gpc enabled. Stripslashes shouldn't be done if the intent isn't to strip the slashes, and with gpc disappearing very soon, querying from the database will result in unintended stripslashes.
This is just a comment box too don't forget. If the comments are for something like programming, you'll see a lot of things that shouldn't be stripslashed such as "Why does this name show as O\'Neil?".
You shouldn't need to escape quotes in data being passed into a database at all - you just need to use PDO or mysqli prepare and bind statements that keep the data separate from the query so that you don't need to escape the data to avoid it being confused with the SQL in the query.
You shouldn't need to escape quotes in data being passed into a database at all - you just need to use PDO or mysqli prepare and bind statements that keep the data separate from the query so that you don't need to escape the data to avoid it being confused with the SQL in the query.
Correct, and this is my recommendation if you have the option available to you. Unfortunately, PDO and MySQLi are both newer PHP technologies as well as requiring certain version's of the DB's in use.
Stipslashes will still have to happen until they get rid of GPC if its enabled. And to expand just slightly, its not that you shouldn't need to escape, its that you cannot escape as they will carry as a part of the data (which would result in the identical behaviour the OP is having right now).
This is just a comment box too don't forget. If the comments are for something like programming, you'll see a lot of things that shouldn't be stripslashed such as "Why does this name show as O\'Neil?".
The comment box is for a review type website, where users will comment on reviews, news, etc so nothing like programming.
Here's the code I have. What specifically do I need to replace stripslashes with?
if ($_POST['submitted'] == 1)
{
if ($username == "")
{
echo "Name is a required field";
exit();
}
if ($comment == "")
{
echo "Comment is a required field";
exit();
}
C And to expand just slightly, its not that you shouldn't need to escape, its that you cannot escape as they will carry as a part of the data
The purpose in escaping data when you output it is to avoid having it confused as part of something else - in this case SQL.
With the SQL in the prepare statement and the data in the bind statement there is no possibility of the one being confused for the other and so no need to escape. It is not necessary and therefore there are no escape characters.
The purpose in escaping data when you output it is to avoid having it confused as part of something else - in this case SQL.
With the SQL in the prepare statement and the data in the bind statement there is no possibility of the one being confused for the other and so no need to escape. It is not necessary and therefore there are no escape characters.
You misunderstand. I was simply expanding on the wording you used; shouldn't isn't correct, it should be cannot (as in you can do it, but don't). Bound values that have been escaped will record as escaped, which will just repeat the vicious cycle as it is not needed to perform any type of escape. If you bind, do not escape (which is what I'm quite sure you were implying, but the wording was open for ambiguity).
Quote:
Originally Posted by elitis
Ok, so if I wanted to use Mysqli or PDO which version would I need? I currently have Mysql 5.0.90 and PHP 5.2.13.
Edit:Nevermind...
That version is sufficient so long as either PDO or MySQLi has been enabled. You can check the status of both in phpinfo(), or by using something like class_exists.
You misunderstand. I was simply expanding on the wording you used; shouldn't isn't correct, it should be cannot (as in you can do it, but don't). Bound values that have been escaped will record as escaped, which will just repeat the vicious cycle as it is not needed to perform any type of escape. If you bind, do not escape (which is what I'm quite sure you were implying, but the wording was open for ambiguity).
That version is sufficient so long as either PDO or MySQLi has been enabled. You can check the status of both in phpinfo(), or by using something like class_exists.
Both PDO and MySQLi have been enabled.
__________________ Coding is a challenge, get used to it Always remember to debug Try the guess & check method Break it down into simple steps
if ($_POST['submitted'] == 1)
{
if ($username == "")
{
echo "Name is a required field";
exit();
}
if ($comment == "")
{
echo "Comment is a required field";
exit();
}
Before you post, read our: 
