By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
457,724 Members | 863 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 457,724 IT Pros & Developers. It's quick & easy.

addslashes, mysql_real_escape_string or magic_quotes_gpc?

P: n/a
Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.

I obviously need to escape these characters - magic_quotes_gpc sounds
ideal but is not an option as I don't have access to the php.ini file
and it is currently set to 0.

I could use either addslashes or mysql_real_espcape_string but do I
have to apply this to every field individually or is there a way to do
it to all in one go?
Any advice on the most suitable method and how to do it in one go
would be greatly appreciated.

Many thanks
Redge
P.S please reply to this group rather than by email - thanks

Oct 16 '07 #1
Share this Question
Share on Google+
6 Replies


P: n/a
On Tue, 16 Oct 2007 18:32:12 +0200, <re****@hotmail.comwrote:
Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.

I obviously need to escape these characters - magic_quotes_gpc sounds
ideal but is not an option as I don't have access to the php.ini file
and it is currently set to 0.

I could use either addslashes or mysql_real_espcape_string but do I
have to apply this to every field individually or is there a way to do
it to all in one go?
Any advice on the most suitable method and how to do it in one go
would be greatly appreciated.

http://www.php.net/array_map is your friend.
--
Rik Wasmus
Oct 16 '07 #2

P: n/a
"Rik Wasmus" <lu************@hotmail.comwrote in
news:op***************@metallium.lan:
On Tue, 16 Oct 2007 18:32:12 +0200, <re****@hotmail.comwrote:
>Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.

I obviously need to escape these characters - magic_quotes_gpc sounds
ideal but is not an option as I don't have access to the php.ini file
and it is currently set to 0.

I could use either addslashes or mysql_real_espcape_string but do I
have to apply this to every field individually or is there a way to do
it to all in one go?
Any advice on the most suitable method and how to do it in one go
would be greatly appreciated.


http://www.php.net/array_map is your friend.
just make sure not to apply it to form variables which are arrays!
Oct 16 '07 #3

P: n/a
re****@hotmail.com wrote:
Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.

I obviously need to escape these characters - magic_quotes_gpc sounds
ideal but is not an option as I don't have access to the php.ini file
and it is currently set to 0.

I could use either addslashes or mysql_real_espcape_string but do I
have to apply this to every field individually or is there a way to do
it to all in one go?
Any advice on the most suitable method and how to do it in one go
would be greatly appreciated.

Many thanks
Redge
P.S please reply to this group rather than by email - thanks

mysql_real_escape_string() - that's what it's made for.

And yes, you need to apply it to each field separately.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Oct 16 '07 #4

P: n/a
In our last episode,
<11**********************@v29g2000prd.googlegroups .com>, the lovely and
talented re****@hotmail.com broadcast on comp.lang.php:
I could use either addslashes or mysql_real_espcape_string but do I have
to apply this to every field individually or is there a way to do it to
all in one go? Any advice on the most suitable method and how to do it in
one go would be greatly appreciated.

See the "best practice" example in the mysql_real_escape_string page of the
manual. Basically, you want to turn off magic quotes if you can, or test
for magic quotes and undo them if they are on in case you cannot turn them
off. You want to use mysql_real_escape_string, but only on stuff that is
going into a query and you want to use it as close to where you put the
query together as you can (mysql_real_escape_string will not work, or will
not work right unless you have established the db connection that you want
to use -- and if the link you want to use is not the one you most recently
established, you must specify the one you want to use).

--
Lars Eighner <http://larseighner.com/ <http://myspace.com/larseighner>
Countdown: 461 days to go.
What do you do when you're debranded?
Oct 16 '07 #5

P: n/a

Many thanks to you all for a useful and speedy response! Best Redge

Oct 16 '07 #6

P: n/a
On Tue, 16 Oct 2007 19:01:47 +0200, Good Man <he***@letsgo.comwrote:
"Rik Wasmus" <lu************@hotmail.comwrote in
news:op***************@metallium.lan:
>On Tue, 16 Oct 2007 18:32:12 +0200, <re****@hotmail.comwrote:
>>Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.

I obviously need to escape these characters - magic_quotes_gpc sounds
ideal but is not an option as I don't have access to the php.ini file
and it is currently set to 0.

I could use either addslashes or mysql_real_espcape_string but do I
have to apply this to every field individually or is there a way to do
it to all in one go?
Any advice on the most suitable method and how to do it in one go
would be greatly appreciated.


http://www.php.net/array_map is your friend.

just make sure not to apply it to form variables which are arrays!
Indeed, Good Practise would to be leave those arrays always 'as is' and
intact (hence magic_guotes are evil), and just copy the data you need from
it.
--
Rik Wasmus
Oct 17 '07 #7

This discussion thread is closed

Replies have been disabled for this discussion.