View Full Version : Submitting with " <-- quotes

11-03-2007, 12:58 AM
Hello Everyone,

I have a password field in my form. If you enter in any " or ' the data contains \" and \'. So my password will change from a'b"c to a\'b\"c. That's great except it's not the right password. I tried to remove the slashes with strpos() and substr(). Forcing characters back in...

Is there an easier way to do this? (Considering my atempt at parsing the password didn't work anyway)


11-03-2007, 01:36 AM
you need to parse your password before storing it into mysql database, and then have a way to check weather input password is same as password you get for the selected username.
it really doesn't matter weather it has \ for special characters.

11-03-2007, 05:15 AM
Use sha1() (http://php.net/sha1) or similar to store the password as a hash in the database, and then check it against a hash of the form's password field when they login. Also, if your host has magic_quotes on you can use stripslashes() (http://php.net/stripslashes) to remove them before trying to use the password(s).

11-03-2007, 04:44 PM
I use this function when escaping data

function escape_data ($data)
global $dbc; // need the connection.
$data = stripslashes($data);
return mysql_real_escape_string($data, $dbc);
Where $dbc is the mysql_connect statement.