Adams-Blake Co. wrote:
Andy Hassall wrote:
On Mon, 14 Jul 2003 23:32:46 -0700, "Adams-Blake Co."
<at************@adams.takeme.out.-blake.com> wrote:
Because I used the "addslashes" function before I inserted the record.
Isn't that the correct way:
$CompanyName = "Joe's Place";
Insert into mytable fld1= addslashes($CompanyName)....
How else would you do it?
If you have:
Joe\'s place
... stored in the database, you've added slashes twice.
You should only add enough slashes so that the data gets to the database
in
its original form.
If $CompanyName contains "Joe's Place" then doing one addslashes() as you
say
is correct. This makes it "fld1='Joe\'s Place'" in the SQL, and stores
"Joe's Place".
However if it's already "Joe\'s Place" then another addslashes makes it
"fld='Joe\\\'s place'" in the SQL, and you store "Joe\'s Place" which
wasn't your original data.
Do you have one of the automatic escaping functions on, the magic_quotes*
settings? That would explain the double-escaping.
Andy, et. al.
When I do add$CompanyName = "Joe's Place";
Insert into mytable fld1= addslashes($CompanyName)....
and look at the field name in phpMySQLAdmin for the record I see: Joe\'s
Place. So I assume that the slash is actually stored in the database. And
this is why when I do:
$recsql="select CompanyName from mytable";
$rs = $db->Execute($recsql);
$cname= stripslashes($rs->Fields['CompanyName']);
(I use the ADODB wrapper)
Does the database table actually carry the slash? I don't know, but I see it
in MySQLAdmin.... so I figure I have to do the stripslashes. Everything
seems to work..... except when you do the "LIKE" search in SQL and you need
2 addslash functions.
I don't know if I have magic anything turned on. I know that the above code
works fine on my local Apache as well as whatever pair.com runs.
Let me know what you think regarding the double addslashes for Joe's Place.
-Al
OK, I FOUND THE ANSWER. It was Andy who helped me see the light here... along
with some other posts in the archives. It seems that "addslashes" does what
it says, but that MySQL strips them out before it pops the field in the
database. Under normal conditions it is NOT stored as Joe\'s Place but as
Joe's Place.
HOWEVER, if for some (dumb) reason you have something called
"magic-quotes-gpc" turned ON in your php.ini file, the slashes are added for
you atomatically. If you continue to do a "addslashes" you end up with
"Joe\\'s Place". MySQL strips out the first one, but leaves the second which
is why you will see the \ in the database if you go in and edit a record.
And if this is the case then you NEED to do a stripslashes when getting the
record in order to get rid of the darn \.
THE KEY, (IMO... and maybe I'm wrong) is to turn OFF this "magic quote"
thingy, and ALWAYS use the addslashes function on all strings that are going
to be inserted into SQL or if you are going to do a string search (select).
Maybe someone can explain the concept of this "magic quote" parm, but it
seems to me (and other postings that I've read) that the PHP developers made
a mistake by trying to do "too much" for the developer.... but I guess that's
another issue.
I hope someone will please come on and tell me if the above is a correct
analysis in case I'm all wrong. We don't want bad info to be on Google
without someone setting it straight because I'm sure others will have this
problem as well.
Al